httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Trevor Perrin <tr...@trevp.net>
Subject Re: [PATCH 55593] Add "SSLServerInfoFile" directive
Date Tue, 01 Oct 2013 04:53:16 GMT
On Sun, Sep 29, 2013 at 1:06 AM, Kaspar Brand <httpd-dev.2013@velox.ch> wrote:
> On 28.09.2013 18:34, Dr Stephen Henson wrote:
>> How about something like:
>>
>> int SSL_CONF_cmd_type(SSL_CONF_CTX *cctx, const char *cmd);
>>
>> which can return things like...
>>
>> SSL_CONF_TYPE_INVALID:        unrecognised name.
>> SSL_CONF_TYPE_FILE:   file name.
>> SSL_CONF_TYPE_DIR:    directory name.
>> ... others ...
>> SSL_CONF_TYPE_STR:    string with no special meaning.
>
> Sounds good, yes.

Sounds fine to me.  But another wrinkle is occurring to me:

We're going to need different ServerInfo files for different certs
(since things like Certificate Transparency and TACK will return
different data depending on the server's cert/key).

The OpenSSL code was written on the assumption of one ServerInfo file
per SSL_CTX, so will need a bit of rework.  But it's worth discussing
what the API should be.

There are currently 8 possible key/cert types in OpenSSL (ssl/ssl_locl.h):
"""
#define SSL_PKEY_RSA_ENC 0
#define SSL_PKEY_RSA_SIGN 1
#define SSL_PKEY_DSA_SIGN 2
#define SSL_PKEY_DH_RSA 3
#define SSL_PKEY_DH_DSA 4
#define SSL_PKEY_ECC        5
#define SSL_PKEY_GOST94 6
#define SSL_PKEY_GOST01 7
"""

I think we'd rather not try to embed OIDs or whatever in the
ServerInfo files.  Perhaps the ServerInfoFile ConfCmd could be
annotated to refer to these identifiers somehow?


SSLOpenSSLConfCmd ServerInfoFile_RSA_ENC certs/ServerInfo1.pem
SSLOpenSSLConfCmd ServerInfoFile_RSA_SIGN certs/ServerInfo2.pem

 - or -

SSLOpenSSLConfCmd ServerInfoFile 0 certs/ServerInfo1.pem
SSLOpenSSLConfCmd ServerInfoFile 1 certs/ServerInfo2.pem


Any thoughts??


Trevor

Mime
View raw message