httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaspar Brand <httpd-dev.2...@velox.ch>
Subject mod_ssl and OPENSSL_NO_SSL_INTERN (Re: mod_ssl in trunk with OpenSSL 0.9.7 as a minimum requirement?)
Date Thu, 22 Dec 2011 10:59:26 GMT
On 05.08.2011 07:41, Kaspar Brand wrote:
> On 03.08.2011 19:29, Dr Stephen Henson wrote:
>> In OpenSSL 1.0.1 (unreleased) and later there is a feature to make all SSL
>> related structures opaque and only allow them to be accessed through functions.
>> This is enabled by setting OPENSSL_NO_SSL_INTERN before including any OpenSSL
>> headers.
> 
> Thanks for this information, this definitely seems a desirable goal for
> mod_ssl in the long term (pity it wasn't added to OpenSSL earlier).

Ok, so now that OpenSSL 1.0.1 doesn't seem too far away, I had a closer
look. With trunk/2.4.x, things are already in pretty good shape, I think.

> I haven't had time to try getting mod_ssl to work with this option. It is
> guaranteed to fail without some modification. There may well be some
> functionality missing in OpenSSL too.

For mod_ssl, after some tweaking, two things are basically missing with
the current 1.0.1 snapshots:

1) access to the SSL_CTX's "extra_certs". Currently there's only
SSL_CTX_add_extra_chain_cert(), but no way to get at the currently
configured stack of certs, and no option to clear that stack. mod_ssl
needs this for ssl_util_stapling.c:stapling_get_issuer(),
ssl_engine_init.c:ssl_init_ctx_pkcs7_cert_chain(), and
ssl_util_ssl.c:SSL_CTX_use_certificate_chain().

2) access to the SSL_SESSION's "compress_meth" (read-only). Used in
ssl_engine_vars.c:ssl_var_lookup_ssl_compress_meth().

Is there a chance to add these for the initial 1.0.1 release?

Kaspar

Mime
View raw message