httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaspar Brand <httpd-dev.2...@velox.ch>
Subject Re: [PATCH 55593] Add "SSLServerInfoFile" directive
Date Wed, 02 Oct 2013 07:35:23 GMT
On 01.10.2013 12:15, Dr Stephen Henson wrote:
> That's just OpenSSL internals though. To handle ServerInfo properly in mod_ssl
> IMHO you would need a new directive as there's no support for per-certificate
> SSL_CONF commands: it wasn't intended to be used like that in its current form.
> 
> This also runs against what IMHO is a long standing historical problem with the
> way mod_ssl handles certificates: it hard codes the algorithms used in the
> source. That means every new algorithm needs mod_ssl code changes to support:
> ECC for example.

True. I guess it's a side effect of keeping private key pass phrases in
the global SSLModConfigRec. From ssl_private.h:

> /* BIG FAT WARNING: SSLModConfigRec has unusual memory lifetime: it is
>  * allocated out of the "process" pool and only a single such
>  * structure is created and used for the lifetime of the process.
[...]
>  * This odd lifetime strategy is used so that encrypted private keys
>  * can be decrypted once at startup and continue to be used across
>  * subsequent server reloads where the interactive password prompt is
>  * not possible.
[...]
>  * This should really be fixed using a smaller structure which only
>  * stores that which is absolutely necessary (the private keys, maybe
>  * the random seed), and have that structure be strictly ABI-versioned
>  * for safety.

Whether the latter is doable without breaking backward config
compatibility (in particular for the SSLCertificate*File directives)
needs further examination, I guess.

An overhaul of ssl_engine_pphrase.c:ssl_pphrase_Handle() - and its use
of the tVHostKeys and tPublicCert hashes - would probably be welcomed by
quite a few devs, though (see e.g. https://svn.apache.org/r1069765).

> Ideally it should be able to send an arbitrary number of
> certificates and keys to OpenSSL and let it decide what to do with them.

Agreed. I would also like to see SSL_CTX_use_certificate_chain_file
being used instead of SSL_CTX_use_certificate,
SSL_CTX_use_certificate_chain and the SSL_read_X509 OpenSSL low-level
stuff mod_ssl currently has in ssl_util_ssl.c.

Kaspar

Mime
View raw message