httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Trevor Perrin <tr...@trevp.net>
Subject Re: [PATCH 55593] Add "SSLServerInfoFile" directive
Date Thu, 26 Sep 2013 21:59:11 GMT
On Tue, Sep 24, 2013 at 10:39 PM, Kaspar Brand <httpd-dev.2013@velox.ch> wrote:
> On 25.09.2013 04:13, Trevor Perrin wrote:
>> The feature is checked in to the 1.0.2 branch [1], so we'd like to
>> expose it through Apache.
>>
>> The patch is pretty simple.  I suppose more tests or docs might be
>> needed (?), which I'm happy to write.
>>
>> Anyways, is this something Apache is interested it?  Does the patch
>> look correct? [2]
>
> I'd very much prefer to see this supported via SSLOpenSSLConfCmd
> (http://svn.apache.org/r1421323), and not code this into mod_ssl by
> adding yet another directive. For the authz_file / RFC 5878 stuff, I did
> some experiments at the time, and am attaching a[n untested] patch for
> SSL_CTX_use_serverinfo_file - could you give it a try?

Thanks, I tried that.

It doesn't work with filenames relative to the Apache root.  The patch
I submitted uses ssl_engine_config.c:ssl_cmd_check_file() to map
relative to absolute filenames.  I'm not sure how you'd do that with
SSLOpenSSLConfCmd?

(For context: the ServerInfo file is replacing the 5878/authz file, as
it's more useful to be able to provide ServerHello extensions, instead
of 5878 extensions.  I think 5878 is somewhat falling out of favor -
or at least I hope so... [1]).

Trevor

[1] http://www.ietf.org/mail-archive/web/tls/current/msg09913.html

Mime
View raw message