On 04/02/2012 07:32, Kaspar Brand wrote:
> On 02.02.2012 15:13, Dr Stephen Henson wrote:
>>
>> int SSL_CTX_config(SSL_CTX *ctx, const char *config_name);
>>
>> Where "config_name" is a named configuration option in the OpenSSL configuration
>> file. This has the substantial advantage that there would
>> then be one configuration file format used by all OpenSSL applications.
>> The disadvantage is that it would look nothing like the existing Apache
>> configuration format.
>
> Maybe mod_ssl could offer both - a directive for configuring via
> key-value pairs for "simple" cases, and a config file based way for
> complex setups. (In some way, it's what PHP currently does with the
> php_value/php_admin_value directives and php.ini.)
>
I agree some of the more complex operations might need nested configuration
options (for example setting verification policies).
It should be possible to setup most options for an SSL_CTX or SSL structure this
way, including which key(s) and certificate(s) to use, though not sure mod_ssl
would make use of that.
> BTW: I would like to see SSL_set_config_string(), too - for those
> mod_ssl options which can be set on a per-directory basis.
>
Yes I certainly plan to have an equivalent for SSL structures too.
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shenson@opensslfoundation.com
|