httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaspar Brand <httpd-dev.2...@velox.ch>
Subject Re: mod_ssl in trunk with OpenSSL 0.9.7 as a minimum requirement?
Date Fri, 05 Aug 2011 05:41:42 GMT
On 03.08.2011 19:29, Dr Stephen Henson wrote:
> In OpenSSL 1.0.1 (unreleased) and later there is a feature to make all SSL
> related structures opaque and only allow them to be accessed through functions.
> This is enabled by setting OPENSSL_NO_SSL_INTERN before including any OpenSSL
> headers.

Thanks for this information, this definitely seems a desirable goal for
mod_ssl in the long term (pity it wasn't added to OpenSSL earlier).

> Ironically to support this you'd need to avoid some of the changes in this
> patch. For example:
> 
> -        l = strlen(SSL_CIPHER_get_name(c));
> -        memcpy(cp, SSL_CIPHER_get_name(c), l);
> +        l = strlen(c->name);
> +        memcpy(cp, c->name, l);

After another look, this is actually a case where I can revert the
change in my patch - I overlooked that SSL_CIPHER_get_name is a macro
which is also defined by OpenSSL itself (at least in 0.9.7 or later).

The remaining ones probably need to stay for the time being, but let me
add that I would definitely prefer mod_ssl not fiddling with the
internals of OpenSSL (as an example, modssl_set_cert_info is rather
worrysome, IMO).

My plan was to do relatively mechanical macro replacement in a first
step, then try to identify code parts which can be replaced by calls to
OpenSSL (e.g. the CRL checking stuff), and in a third step, look at the
remaining places which are "messing" with OpenSSL's internals and
hopefully replace them with proper API calls whenever possible.
OPENSSL_NO_SSL_INTERN sounds like a very useful thing for this, although
backward compatibility will still make life hard, I guess.

Kaspar

Mime
View raw message