httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaspar Brand <httpd-dev.2...@velox.ch>
Subject Re: SNI in 2.2.9? (Re: 2.2.9 status)
Date Thu, 05 Jun 2008 05:25:30 GMT
Joe Orton wrote:
> http://svn.apache.org/viewvc?rev=662815&view=rev
> 
> Changing the dirconf structure fields in-place seems ugly and may even 
> be thread-unsafe (not sure).

Thanks for pointing this out, I wasn't aware of the danger of doing so.
The same effect can be achieved with the attached, hopefully more
acceptable patch, however (diff against the current code in trunk).

> From a quick look I can't see how a reneg would be forced for any of:
> 
> 1) SSLCipherSuite changed since original vhost
> 2) SSLCACeritificate* changed since original vhost (where both 
> 3) SSLOCSP* changed since original vhost

To better understand what your primary concern is - can we agree what
specific case we're considering in this case? I see four of them, actually:

(1) SNI client connecting to
    (a) the first, access-restricted vhost
    (b) one of the other, also access-restricted vhosts (two or above)

(2) non-SNI client connecting to
    (a) the first, access-restricted vhost
    (b) one of the other, also access-restricted vhosts (two or above)

The issues you raised all belong to (2b), is that correct? From my
perspective, the patch is working correctly for (1a), (1b) and (2a), but
the question is  mainly how to handle (2b), i.e. properly enforcing
access restrictions for "legacy" clients for vhosts two and above.

> I would go through each of the config directive which 
> supports vhost context in turn.  What about SSLCertificateChainFile?  
> What about CRLs?  etc etc.

If we agree that the remaining problem is about enforcing access
control, then I would consider these directives relevant:

Directive                  accessed as... (assuming that mctx is
                           pointing to current modssl_ctx_t)

SSLCipherSuite             mctx->auth.cipher_suite
SSLVerifyDepth             mctx->auth.verify_depth
SSLVerifyClient            mctx->auth.verify_mode
SSLCACertificateFile       mctx->auth.ca_cert_file
SSLCACertificatePath       mctx->auth.ca_cert_path
SSLCARevocationFile        mctx->crl_file
SSLCARevocationPath        mctx->crl_path
SSLOCSDefaultResponder     mctx->ocsp_responder
SSLOCSPEnable              mctx->ocsp_enabled
SSLOCSPOverrideResponder   mctx->ocsp_force_default

Do you see others that should be added to this list?
(SSLCertificateChain is not relevant when verifying peer certs, and
apart from this, I didn't see any additional parameters in
modssl_ctx_t/modssl_auth_ctx_t which are relevant for access control.)

Kaspar

Mime
View raw message