httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: [PATCH] get a pointer to the raw cert from mod_ssl
Date Wed, 02 Feb 2005 12:37:37 GMT
On Wed, Feb 02, 2005 at 11:36:41AM +0000, Ben Laurie wrote:
> Joe Orton wrote:
> >On Wed, Feb 02, 2005 at 11:09:47AM +0000, David Reid wrote:
> >>The issue is a need to get access to the internals of the structure.
> >
> >
> >By exposing the X509 * directly you expose a dependency on the
> >underlying SSL toolkit.  What if mod_ssl was built to use the RSA
> >toolkit; will the X509 * have the same fields and layout?  That's why
> >it's preferable to just expose the DER: there's nothing you can't do
> >with the DER that you can do with the X509 * anyway.
> 
> This is a somewhat frivolous point though. If you expose the DER, then 
> the module will have to have some crypto toolkit to understand it. If 
> its a different one from the one mod_ssl is using, then it can always 
> convert to DER and into its own format, using the same kit mod_ssl uses 
> for the first step. So, it seems to me that this is simply making work 
> for modules to no real gain.

That all presumes that random third-party modules can determine which
type of SSL toolkit mod_ssl was built with and where the headers are
etc, which isn't the case.

> Certainly it should only be exported in this format if OpenSSL is in use.
> 
> BTW, I'd advocate using a hook that was typesafe!

Exactly my point: you can't do that without exposing OpenSSL headers
through mod_ssl.h and making the hook declaration conditional on SSL
support being enabled and all that mess.

joe

Mime
View raw message