httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dr Stephen Henson <shen...@opensslfoundation.com>
Subject Certificate handling limitations in mod_ssl.
Date Sat, 04 Feb 2012 14:27:57 GMT
The way mod_ssl currently handles certificates and private keys is rather
restrictive and means some of OpenSSL's current and planned future features
can't be used automatically.

Currently mod_ssl hard codes algorithms and has a limitation of one certificate
per algorithm.

This has two consequences...

1. New algorithms (such as GOST and fixed DH) cannot be configured and need to
be added into the mod_ssl code.

2. Support for multiple certificates for a given algorithm is not supported. For
example future "full" use of ECC ciphersuites might have different certificates
for different curves the selection of which is determined by the curves the
client supports.

IMHO to avoid these problems it would be better if mod_ssl could send an
arbitrary number of certificates and keys to OpenSSL and leave it to OpenSSL to
process them in an appropriate manner.

If finer control over some operations (for example to detect configuration
errors) is required OpenSSL could be extended to support that.

Thoughts?

Steve.
-- 
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shenson@opensslfoundation.com

Mime
View raw message