httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Plüm, Rüdiger, VF-Group" <ruediger.pl...@vodafone.com>
Subject RE: OpenSSL configuration and mod_ssl
Date Thu, 02 Feb 2012 14:22:23 GMT


> -----Original Message-----
> From: Dr Stephen Henson [mailto:shenson@opensslfoundation.com]
> Sent: Donnerstag, 2. Februar 2012 15:14
> To: dev@httpd.apache.org
> Subject: OpenSSL configuration and mod_ssl
> 
> Guys,
> 
> It has been apparent for some time that mod_ssl (and other applications)
> require
> a considerable effort to support new features in OpenSSL.
> 
> A simple example is when a new flag is added which some, but not all,
> users may
> want to set. Once this flag appears in an OpenSSL release every OpenSSL
> based
> application needs to be modified to support and document it.
> Specification of
> this option might be via a command line option or (in the case of
> mod_ssl and
> others) a configuration file.
> 
> It would IMHO be far better if a mechanism existed to support automatic
> configuration of some options by conforming applications.
> 
> There is a current example where this works well: the cipher string.
> With the
> inclusion of TLS v1.2 in the upcoming OpenSSL 1.0.1 release several new
> ciphersuites based on SHA256 and GCM have appeared. An application
> generally
> doesn't need to know or care what these are. A user can enable or
> disable them
> by just using the cipher string: it is passed as an opaque string which
> OpenSSL
> interprets.
> 
> So my thoughts are that this concept could be generalised.
> 
> A simple answer is to add new string setting options. For example:
> 
> int SSL_CTX_set_options_string(SSL_CTX *ctx, const char *str);

+1 in principle. Could be handy for mod_ssl.

> 
> This works for existing simple configuration but a new string (for
> example TLS
> 1.2 supported signature algorithms) might be added in the future so then
> we're
> back to having to explicitly add support to all applications for each
> new string
> configuration option.
> 
> So perhaps:
> 
> int SSL_CTX_set_config_string(SSL_CTX *ctx,
> 				const char *name, const char *value);
> 
> Where the values of "name" can expand over time.

+1 same as above.

> 
> I'm not completely sure that this could be handled by the mod_ssl
> configuration routines, perhaps someone could comment on that?
> 
> A third method is to delegate the configuration completely to OpenSSL
> using a
> separate configuration file. So, we'd have an option to set the
> configuration
> file to use and then something like:
> 
> int SSL_CTX_config(SSL_CTX *ctx, const char *config_name);

-0 from mod_ssl perspective. How do you configure which configuration file to use in this
case?
If it is the system wide one I don't regard this as beneficial as a web server operator might
not have write access to it.


Regards

Rüdiger


Mime
View raw message