httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dr Stephen Henson <shen...@opensslfoundation.com>
Subject Re: mod_ssl and OPENSSL_NO_SSL_INTERN (Re: mod_ssl in trunk with OpenSSL 0.9.7 as a minimum requirement?)
Date Thu, 22 Dec 2011 16:53:35 GMT
On 22/12/2011 10:59, Kaspar Brand wrote:
> On 05.08.2011 07:41, Kaspar Brand wrote:
>> On 03.08.2011 19:29, Dr Stephen Henson wrote:
>>> In OpenSSL 1.0.1 (unreleased) and later there is a feature to make all SSL
>>> related structures opaque and only allow them to be accessed through functions.
>>> This is enabled by setting OPENSSL_NO_SSL_INTERN before including any OpenSSL
>>> headers.
>>
>> Thanks for this information, this definitely seems a desirable goal for
>> mod_ssl in the long term (pity it wasn't added to OpenSSL earlier).
> 
> Ok, so now that OpenSSL 1.0.1 doesn't seem too far away, I had a closer
> look. With trunk/2.4.x, things are already in pretty good shape, I think.
> 
>> I haven't had time to try getting mod_ssl to work with this option. It is
>> guaranteed to fail without some modification. There may well be some
>> functionality missing in OpenSSL too.
> 
> For mod_ssl, after some tweaking, two things are basically missing with
> the current 1.0.1 snapshots:
> 
> 1) access to the SSL_CTX's "extra_certs". Currently there's only
> SSL_CTX_add_extra_chain_cert(), but no way to get at the currently
> configured stack of certs, and no option to clear that stack. mod_ssl
> needs this for ssl_util_stapling.c:stapling_get_issuer(),
> ssl_engine_init.c:ssl_init_ctx_pkcs7_cert_chain(), and
> ssl_util_ssl.c:SSL_CTX_use_certificate_chain().
> 
> 2) access to the SSL_SESSION's "compress_meth" (read-only). Used in
> ssl_engine_vars.c:ssl_var_lookup_ssl_compress_meth().
> 
> Is there a chance to add these for the initial 1.0.1 release?
> 

I've added a few new controls and one new function which should resolve this,
see last few commits.

I deleted a couple of functions duplicating functionality too.

Let me know if you need further details or it needs fixing.

Steve.
-- 
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shenson@opensslfoundation.com

Mime
View raw message