httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaspar Brand <httpd-dev.2...@velox.ch>
Subject Re: svn commit: r611216 - in /httpd/httpd/trunk/modules/ssl: ssl_engine_init.c ssl_engine_kernel.c ssl_engine_vars.c ssl_private.h
Date Sat, 12 Jan 2008 07:59:39 GMT
Thanks for your review, RĂ¼diger.

>> +    /* set SSL_CTX (if matched) */
>> +    if (found && (ssl = ((SSLConnRec *)myConnConfig(c))->ssl) &&
>> +        (sc = mySrvConfig(s))) {
>> +        SSL_set_SSL_CTX(ssl, sc->server->ssl_ctx);
>> +        /*
>> +         * SSL_set_SSL_CTX() only deals with the server cert,
>> +         * so we need to duplicate a few additional settings
>> +         * from the ctx by hand
>> +         */
>> +        SSL_set_options(ssl, SSL_CTX_get_options(ssl->ctx));
> 
> 
> Sorry for being confused, but shouldn't this be sc->server->ssl_ctx
> instead of ssl->ctx?

It would amount to exactly the same thing, in fact. This is OpenSSL's 
implementation of SSL_set_SSL_CTX (from ssl/ssl_lib.c):

> SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx)
>         {
>         if (ssl->ctx == ctx)
>                 return ssl->ctx;
> #ifndef OPENSSL_NO_TLSEXT
>         if (ctx == NULL)
>                 ctx = ssl->initial_ctx;
> #endif
>         if (ssl->cert != NULL)
>                 ssl_cert_free(ssl->cert);
>         ssl->cert = ssl_cert_dup(ctx->cert);
>         CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
>         if (ssl->ctx != NULL)
>                 SSL_CTX_free(ssl->ctx); /* decrement reference count */
>         ssl->ctx = ctx;
>         return(ssl->ctx);
>         }

I.e. calling "SSL_set_SSL_CTX(ssl, sc->server->ssl_ctx)" from modssl 
will set ssl->ctx to sc->server->ssl_ctx, so 
"SSL_CTX_get_options(ssl->ctx)" and 
"SSL_CTX_get_options(sc->server->ssl_ctx)" will do the same thing 
afterwards.

My idea was that it would be more appropriate to refer to the newly set 
context (that's why the SSL_set_SSL_CTX call is happening - which is 
actually the most important step). But on the other hand I have no 
strong feelings against using sc->server->ssl_ctx instead, if you prefer 
that one.

 >> +            SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx),
 >> +                           SSL_CTX_get_verify_callback(ssl->ctx));
 >
 > Same question as above.

Same answer as above :-)

Kaspar

Mime
View raw message