httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaspar Brand <>
Subject Re: Certificate handling limitations in mod_ssl.
Date Sun, 05 Feb 2012 11:08:50 GMT
On 04.02.2012 15:27, Dr Stephen Henson wrote:
> IMHO to avoid these problems it would be better if mod_ssl could send an
> arbitrary number of certificates and keys to OpenSSL and leave it to OpenSSL to
> process them in an appropriate manner.

Would that mean supplying names of key/certificate files to OpenSSL, or
are you thinking of sending parsed keys/certs (like
SSL_CTX_use_PrivateKey() etc. does right now)?

Dealing with encrypted keys might become more tricky, depending on how
the API for this would look like (currently, mod_ssl remembers the
unencrypted keys in a separate table, so that they can survive a

> If finer control over some operations (for example to detect configuration
> errors) is required OpenSSL could be extended to support that.

This would certainly help. Things which come to mind: host name mismatch
(i.e., cert does not include DNS name for ServerName/ServerAlias),
private-vs.-public-key mismatch, missing chain.


View raw message