httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaspar Brand <>
Subject Re: SNI in 2.2.9? (Re: 2.2.9 status)
Date Thu, 05 Jun 2008 18:02:20 GMT
Joe Orton wrote:
> Access control is certainly the most important issue, but e.g. if 
> SSLCertificateChainFile is not supported properly for the named vhost 
> that's also a bug.  Many configs depend on supplying the intermediate 
> certs.

True. I'm using such a configuration on my test host since it's initial
setup (all hosts have at least one intermediate CA), and had verified
earlier that it's indeed working properly for SNI clients - just compare
the chains you get with

openssl s_client -connect -servername


openssl s_client -connect -servername

>> (SSLCertificateChain is not relevant when verifying peer certs, and
>> apart from this, I didn't see any additional parameters in
>> modssl_ctx_t/modssl_auth_ctx_t which are relevant for access control.)
> I'm think it is relevant.  AFAICT the SSL handshake which takes place in 
> the SNI case is going to be done using the settings from the SSL_CTX 
> from the original vhost not the named vhost, plus those explicitly 
> copied over after the SSL_set_SSL_CTX() call.

Not from what I remember from my work on the patch in January/February,
but I need to look into it again before coming up with a thorough
analysis. Generally speaking, the question is what setting in an SSL
structure (as obtained by SSL_new) is taken from the SSL_CTX at what
time (and whether SSL has its own copy or just takes it from its
underlying SSL_CTX referenced through the ctx pointer member). Depending
on this, some additional tuning after SSL_set_SSL_CTX is necessary - as
it turned out to be the case for verify_mode, e.g.

> SSLCertificateChainFile
> SSLCADNRequest{File,Path}
> SSLHonorCipherOrder
> SSLProtocol
> which I think is an exhaustive list.  SSLProtocol and 
> SSLHonorCipherOrder may be "interesting" because the handshake has 
> already begun at the point it needs to be applied.

Ok, I'll examine these as well - but this of course will take me a few
days, so thanks for staying tuned (and for your replies so far).


View raw message