64722 – SSLPassPhraseDialog builtin doesn't prompt for passphrase

Bug 64722 - SSLPassPhraseDialog builtin doesn't prompt for passphrase

Summary: SSLPassPhraseDialog builtin doesn't prompt for passphrase

Status:	RESOLVED INVALID

Alias:	None

Product:	Apache httpd-2
Classification:	Unclassified
Component:	mod_ssl (show other bugs)
Version:	2.4.34
Hardware:	PC Linux

Importance:	P2 normal (vote)
Target Milestone:	---
Assignee:	Apache HTTPD Bugs Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-09-08 15:26 UTC by kvedenskii
Modified:	2020-09-08 16:22 UTC (History)
CC List:	0 users

Attachments
error log (1.47 KB, text/plain) 2020-09-08 15:28 UTC, kvedenskii	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description kvedenskii 2020-09-08 15:26:07 UTC

builtin program for SSLPassPhraseDialog doesn't prompt for password on apache start / restart via systemd, and apache fails to boot. Changing certificate path and generating new ones doesn't make any difference.
When I switch to httpd-ssl-pass-dialog from mod_ssl package it prompts for passphrase and restarts just fine.

Distro:
Red Hat Enterprise Linux Server release 7.8 (Maipo)

=====
Apache:
Server version: Apache/2.4.34 (Red Hat)
Server built:   Mar 17 2020 09:34:59
Server's Module Magic Number: 20120211:79
Server loaded:  APR 1.4.8, APR-UTIL 1.5.2
Compiled using: APR 1.4.8, APR-UTIL 1.5.2
Architecture:   64-bit
Server MPM:     prefork
  threaded:     no
    forked:     yes (variable process count)
Server compiled with....
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=256
 -D HTTPD_ROOT="/opt/rh/httpd24/root/etc/httpd"
 -D SUEXEC_BIN="/opt/rh/httpd24/root/usr/sbin/suexec"
 -D DEFAULT_PIDLOG="run/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"

=====
Certificates generated with:
openssl genrsa -des3 -out server.key 2048
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

=====
SSL configuration:
SSLEngine on
SSLCertificateFile "/root/tmp/server.crt"
SSLCertificateKeyFile "/root/tmp/server.key"
SSLProtocol all -TLSv1.1 -TLSv1 -SSLv2 -SSLv3
SSLCipherSuite HIGH:!aNULL:!MD5:!3DES
SSLHonorCipherOrder on

=====
Error log:
attached

Comment 1 kvedenskii 2020-09-08 15:28:13 UTC

Created attachment 37435 [details]
error log

Comment 2 Joe Orton 2020-09-08 16:22:05 UTC

(In reply to kvedenskii from comment #0)
> builtin program for SSLPassPhraseDialog doesn't prompt for password on
> apache start / restart via systemd, and apache fails to boot. Changing
> certificate path and generating new ones doesn't make any difference.
> When I switch to httpd-ssl-pass-dialog from mod_ssl package it prompts for
> passphrase and restarts just fine.

So use that?  The script is provided to prompt via systemd.  If you want to prompt from a tty when running httpd directly, that will work fine if you use builtin.  The httpd_tty_comm boolean may make a difference here.

Regardless, if you are using a build of httpd provided by a vendor, please report bugs directly to the vendor (i.e. Red Hat in this case) rather than upstream.