> From: owner-openssl-us...@openssl.org On Behalf Of Matt Caswell (fr...@baggins.org) > Sent: Thursday, 26 January, 2012 18:16
> I think that the stream that it writes to is platform specific. <snip> > So depending on your platform it will be one of stderr, con > or /dev/tty. > Since you said you've attempted to redirect the output for stdout and > stderr already, I'm guessing that for you it is writing > direct to /dev/tty. > On 26/01/12 22:29, Robert O'Hearne wrote: > > I am using a Java program to call a Perl script which calls > curl to upload a file to a FTPS server. The FTPS server has > a certificate which requires a pass phrase. My Java program > reads from standard error looking for the "Enter PEM pass > phrase:" prompt so I can then write the pass phrase to stdin. > > First for clarification: the server almost certainly "has" a certificate, perhaps several, and your client (curl) needs nothing about them beyond what it gets in the protocol plus your local truststore. What you almost certainly mean is that the server requires *your client system* to have a certificate, used to "authenticate" you (here, to decide that you're permitted to upload), which must be matched with a private key, and the *private key* requires a passphrase. > > The problem is the "Enter PEM pass phrase:" prompt is not > present in standard error or standard out. <snip> As above, it's going to /dev/tty which is not redirectable. And OpenSSL reads the *input* from /dev/tty also, which is what really matters for you. > > I am trying to understand how OpenSSL writes this prompt, > especially to what stream it writes it. I believe curl is > calling SSL_CTX_use_certificate_chain_file which issues the > prompt, but I am not certain about that. <snip> Neither use_cert_chain nor use_cert needs a passphrase, and the options I see in the curl man page suggest that it does only single cert not chain although it could have undocumented cleverness. The passphrase prompt would be in use_PrivateKey. The man page explains that curl can take the cert (or conceivably chain) and private key in a single file, which is a convenient and fairly common approach, but use_PrivateKey and use_cert[_chain] are still separate calls and only use_PrivateKey would need the passphrase. To fake "manual" input on /dev/tty, you need to use a pseudo-TTY or PTY. PTYs are a different OS feature than redirection and pipes and usually work on Unix (but there can be exceptions) but not Windows. A quick search finds CPAN modules IO::Pty::Easy IO::Pty Expect all of which say they use PTYs in IO:Tty and look like they could solve your problem. There are at least two ways to avoid the problem by not prompting for the passphrase at all, although at least one is often less secure. But that wasn't your question. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
