httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Geoff Thorpe <ge...@geoffthorpe.net>
Subject Re: [PATCH] OpenSSL dynamic engines under 2.0.48
Date Tue, 17 Feb 2004 21:46:21 GMT
Hi there,

On February 17, 2004 03:26 pm, Serge Hallyn wrote:
> We have a need to use a dynamic OpenSSL engine under apache.  The
> attached patch (against 2.0.48) directs apache to accept ssl.conf
> directives such as:
>
> SSLCryptoDevice dynamic
> SSLCryptoLibpath /usr/local/lib/hw_ibmca.so
> SSLCryptoDevID ibmca
>
> directing openssl to load hw_ibmca.so dynamically as engine id ibmca.
>
> Is there a fundamental complaint against incorporation of this feature?

Not a fundamental one, but something more aesthetic, yeah :-) I wrote a 
patch ages ago (that hasn't been updated since) to add more generalised 
control-command support to Apache. That was for mod_ssl/apache-1.3 
though, so it has only illustrative value for now. You can link to the 
patch and the explanatory email down in the "news" section of;
   http://www.geoffthorpe.net/crypto/
(yes, another page that hasn't been updated in a while).

The idea of control-commands is more general than supplying a 
shared-library path or an ID, so I think it makes sense to add the more 
general mechanism if we are going to go this route at all. Eg. your above 
example would then be;

SSLCryptoDevice		dynamic
SSLCryptoDeviceCtrl	SO_PATH:/usr/local/lib/hw_ibmca.so
SSLCryptoDeviceCtrl	ID:ibmca

As another example of where this can go, using HSM keys (or smart-cards, 
usb-keys, etc) via custom control commands could be entirely supported in 
this way - without needing to recompile openssl or apache. (An engine can 
expose control commands to identify and load private keys, and the 
private key file loaded by Apache could instead contain stub data 
interpreted by the engine implementation to refer to the HSM keys). It's 
a bit of an ugly hack, but it works. The point being; the only limit on 
what you can do from the configuration file is what the engine 
implementation exposes in the way of control commands - neither apache 
nor openssl need to be adjusted for each feature.

Note also that as of openssl 0.9.8, platforms that have DSO_METHOD support 
implemented will be able automatically load shared-library engines 
without any of this. ENGINE_by_id("foo") will attempt to automatically 
load and bind libfoo.so (dlfcn), "foo.dll" (win32), [etc] from a specific 
sub-directory of the openssl installation if the "foo" ENGINE doesn't 
already exist. So if Apache doesn't want to go the route of generalised 
control commands, they could wait until 0.9.8 is out and then this basic 
use-case will be available transparently, without any change to what's 
there now.

Cheers,
Geoff

-- 
Geoff Thorpe
geoff@geoffthorpe.net
http://www.geoffthorpe.net/


Mime
View raw message