Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id A689A928C for ; Sat, 4 Feb 2012 14:28:24 +0000 (UTC) Received: (qmail 21997 invoked by uid 500); 4 Feb 2012 14:28:23 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 21922 invoked by uid 500); 4 Feb 2012 14:28:22 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 21914 invoked by uid 99); 4 Feb 2012 14:28:22 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 04 Feb 2012 14:28:22 +0000 X-ASF-Spam-Status: No, hits=0.7 required=5.0 tests=RCVD_IN_DNSWL_NONE,SPF_NEUTRAL,T_HK_NAME_DR X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: local policy) Received: from [195.8.89.35] (HELO claranet-outbound-smtp02.uk.clara.net) (195.8.89.35) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 04 Feb 2012 14:28:14 +0000 Received: from drh-consultancy.demon.co.uk ([80.177.30.10]:51928 helo=[192.168.7.8]) by relay02.mail.eu.clara.net (relay.clara.net [213.253.3.42]:10587) with esmtpsa (authdaemon_plain:drh) (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) id 1Rtgan-0006Hc-7f for dev@httpd.apache.org (return-path ); Sat, 04 Feb 2012 14:27:53 +0000 Message-ID: <4F2D406D.6080407@opensslfoundation.com> Date: Sat, 04 Feb 2012 14:27:57 +0000 From: Dr Stephen Henson Organization: The OpenSSL Foundation User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:10.0) Gecko/20120129 Thunderbird/10.0 MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Certificate handling limitations in mod_ssl. X-Enigmail-Version: 1.3.5 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org The way mod_ssl currently handles certificates and private keys is rather restrictive and means some of OpenSSL's current and planned future features can't be used automatically. Currently mod_ssl hard codes algorithms and has a limitation of one certificate per algorithm. This has two consequences... 1. New algorithms (such as GOST and fixed DH) cannot be configured and need to be added into the mod_ssl code. 2. Support for multiple certificates for a given algorithm is not supported. For example future "full" use of ECC ciphersuites might have different certificates for different curves the selection of which is determined by the curves the client supports. IMHO to avoid these problems it would be better if mod_ssl could send an arbitrary number of certificates and keys to OpenSSL and leave it to OpenSSL to process them in an appropriate manner. If finer control over some operations (for example to detect configuration errors) is required OpenSSL could be extended to support that. Thoughts? Steve. -- Dr Stephen Henson. OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 +1 877-673-6775 shenson@opensslfoundation.com