Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 44291 invoked from network); 2 Feb 2005 12:37:52 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur-2.apache.org with SMTP; 2 Feb 2005 12:37:52 -0000 Received: (qmail 17446 invoked by uid 500); 2 Feb 2005 12:37:45 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 17418 invoked by uid 500); 2 Feb 2005 12:37:45 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 17402 invoked by uid 99); 2 Feb 2005 12:37:45 -0000 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (hermes.apache.org: domain of jorton@redhat.com designates 66.187.233.31 as permitted sender) Received: from mx1.redhat.com (HELO mx1.redhat.com) (66.187.233.31) by apache.org (qpsmtpd/0.28) with ESMTP; Wed, 02 Feb 2005 04:37:44 -0800 Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com [172.16.52.254]) by mx1.redhat.com (8.12.11/8.12.11) with ESMTP id j12CbgLx002644 for ; Wed, 2 Feb 2005 07:37:42 -0500 Received: from radish.cambridge.redhat.com (radish.cambridge.redhat.com [172.16.18.90]) by int-mx1.corp.redhat.com (8.11.6/8.11.6) with ESMTP id j12CbfO12697 for ; Wed, 2 Feb 2005 07:37:41 -0500 Received: from radish.cambridge.redhat.com (localhost.localdomain [127.0.0.1]) by radish.cambridge.redhat.com (8.13.1/8.12.7) with ESMTP id j12Cbe5a011808 for ; Wed, 2 Feb 2005 12:37:40 GMT Received: (from jorton@localhost) by radish.cambridge.redhat.com (8.13.1/8.12.10/Submit) id j12CbbXM011802 for dev@httpd.apache.org; Wed, 2 Feb 2005 12:37:37 GMT Date: Wed, 2 Feb 2005 12:37:37 +0000 From: Joe Orton To: dev@httpd.apache.org Subject: Re: [PATCH] get a pointer to the raw cert from mod_ssl Message-ID: <20050202123737.GB10669@redhat.com> Mail-Followup-To: dev@httpd.apache.org References: <4200A8A0.7010304@jetnet.co.uk> <20050202102448.GD7510@redhat.com> <4200B4FB.3040308@jetnet.co.uk> <20050202112020.GA8827@redhat.com> <4200BB49.1030508@algroup.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <4200BB49.1030508@algroup.co.uk> User-Agent: Mutt/1.4.1i X-Virus-Checked: Checked X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N On Wed, Feb 02, 2005 at 11:36:41AM +0000, Ben Laurie wrote: > Joe Orton wrote: > >On Wed, Feb 02, 2005 at 11:09:47AM +0000, David Reid wrote: > >>The issue is a need to get access to the internals of the structure. > > > > > >By exposing the X509 * directly you expose a dependency on the > >underlying SSL toolkit. What if mod_ssl was built to use the RSA > >toolkit; will the X509 * have the same fields and layout? That's why > >it's preferable to just expose the DER: there's nothing you can't do > >with the DER that you can do with the X509 * anyway. > > This is a somewhat frivolous point though. If you expose the DER, then > the module will have to have some crypto toolkit to understand it. If > its a different one from the one mod_ssl is using, then it can always > convert to DER and into its own format, using the same kit mod_ssl uses > for the first step. So, it seems to me that this is simply making work > for modules to no real gain. That all presumes that random third-party modules can determine which type of SSL toolkit mod_ssl was built with and where the headers are etc, which isn't the case. > Certainly it should only be exported in this format if OpenSSL is in use. > > BTW, I'd advocate using a hook that was typesafe! Exactly my point: you can't do that without exposing OpenSSL headers through mod_ssl.h and making the hook declaration conditional on SSL support being enabled and all that mess. joe