httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <...@algroup.co.uk>
Subject Re: [PATCH] get a pointer to the raw cert from mod_ssl
Date Wed, 02 Feb 2005 11:36:41 GMT
Joe Orton wrote:
> On Wed, Feb 02, 2005 at 11:09:47AM +0000, David Reid wrote:
> 
>>Joe Orton wrote:
>>
>>>On Wed, Feb 02, 2005 at 10:17:04AM +0000, David Reid wrote:
>>>
>>>
>>>>Basically this allows us to gain access to the actual cert structure.
>>>
>>>
>>>I don't like the idea of exposing the X509 * directly especially not
>>>through a char * interface.  Exposing the DER representation (e.g.
>>>base64-encoded) through ssl_var_lookup would be better.
> 
> 
> (of course that's essentially what _CERT_PEM is; but exporting it
> without the unnecessary PEM trimmings is useful too)
> 
> 
>>The issue is a need to get access to the internals of the structure.
> 
> 
> By exposing the X509 * directly you expose a dependency on the
> underlying SSL toolkit.  What if mod_ssl was built to use the RSA
> toolkit; will the X509 * have the same fields and layout?  That's why
> it's preferable to just expose the DER: there's nothing you can't do
> with the DER that you can do with the X509 * anyway.

This is a somewhat frivolous point though. If you expose the DER, then 
the module will have to have some crypto toolkit to understand it. If 
its a different one from the one mod_ssl is using, then it can always 
convert to DER and into its own format, using the same kit mod_ssl uses 
for the first step. So, it seems to me that this is simply making work 
for modules to no real gain.

Certainly it should only be exported in this format if OpenSSL is in use.

BTW, I'd advocate using a hook that was typesafe!

Cheers,

Ben.


-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

Mime
View raw message