httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dr Stephen Henson <>
Subject Re: mod_ssl and OPENSSL_NO_SSL_INTERN (Re: mod_ssl in trunk with OpenSSL 0.9.7 as a minimum requirement?)
Date Thu, 22 Dec 2011 16:53:35 GMT
On 22/12/2011 10:59, Kaspar Brand wrote:
> On 05.08.2011 07:41, Kaspar Brand wrote:
>> On 03.08.2011 19:29, Dr Stephen Henson wrote:
>>> In OpenSSL 1.0.1 (unreleased) and later there is a feature to make all SSL
>>> related structures opaque and only allow them to be accessed through functions.
>>> This is enabled by setting OPENSSL_NO_SSL_INTERN before including any OpenSSL
>>> headers.
>> Thanks for this information, this definitely seems a desirable goal for
>> mod_ssl in the long term (pity it wasn't added to OpenSSL earlier).
> Ok, so now that OpenSSL 1.0.1 doesn't seem too far away, I had a closer
> look. With trunk/2.4.x, things are already in pretty good shape, I think.
>> I haven't had time to try getting mod_ssl to work with this option. It is
>> guaranteed to fail without some modification. There may well be some
>> functionality missing in OpenSSL too.
> For mod_ssl, after some tweaking, two things are basically missing with
> the current 1.0.1 snapshots:
> 1) access to the SSL_CTX's "extra_certs". Currently there's only
> SSL_CTX_add_extra_chain_cert(), but no way to get at the currently
> configured stack of certs, and no option to clear that stack. mod_ssl
> needs this for ssl_util_stapling.c:stapling_get_issuer(),
> ssl_engine_init.c:ssl_init_ctx_pkcs7_cert_chain(), and
> ssl_util_ssl.c:SSL_CTX_use_certificate_chain().
> 2) access to the SSL_SESSION's "compress_meth" (read-only). Used in
> ssl_engine_vars.c:ssl_var_lookup_ssl_compress_meth().
> Is there a chance to add these for the initial 1.0.1 release?

I've added a few new controls and one new function which should resolve this,
see last few commits.

I deleted a couple of functions duplicating functionality too.

Let me know if you need further details or it needs fixing.

Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775

View raw message