httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Trevor Perrin <tr...@trevp.net>
Subject Re: [PATCH 55593] Add "SSLServerInfoFile" directive
Date Mon, 21 Oct 2013 04:09:37 GMT
On Sun, Oct 13, 2013 at 2:24 AM, Kaspar Brand <httpd-dev.2013@velox.ch> wrote:
> On 13.10.2013 00:43, Trevor Perrin wrote:
>>
>> But maybe the easiest way to handle this is to create another hash
>> table like tPublicCert (e.g. tServerInfoFile or tSSLConfCmd).
>>
>> This table could be populated in ssl_pphrase_Handle at the same time
>> that the tPublicCert table is populated, and read in
>> ssl_server_import_certs()?
>
> Please not... as the comment in ssl_private.h already says, "This should
> really be fixed using a smaller structure".
>
> As a proof of concept (or proof of my theory, if you like), I'm
> attaching a patch which completely does without the whole
> ssl_pphrase_Handle dance (with the limitation of not supporting
> encrypted key files, currently).

Hi Kaspar,

I looked at your patch.  Besides lack of passphrase-handling, it
breaks compatibility with existing config files (which assume
certs/keys are matched by type, not order).  Also, I don't see an
obvious way to interleave SSL_CONF ServerInfoFile commands.


> Provided that OpenSSL adds support for KeyFile and CertificateFile to
> SSL_CONF, you could simply replace the
> SSL_CTX_use_certificate_chain_file()/SSL_CTX_use_PrivateKey_file() calls
> with a replay of the whole SSL_CONF_CMD stanza, including ServerInfoFile.

That would work, but someone would have to rewrite all the
passphrase-handling code, and users would have to switch to a new set
of commands for working with certs / keys.

Seems like a lot of work.  For example, how would the generic
SSLConfCmd commands get hooked-up with passphrase handling for the key
files?


>> Perhaps I could just do a directive for now, and let all this be swept
>> into a big redesign later?
>
> It depends on what your goal is. If it's a patch for your own needs,
> then that's fine, but I'm clearly not in support of adding this to the
> mod_ssl tree (not to trunk, but even less as a backport to 2.4.x).

I'd like to get ServerInfo support into mod_ssl.  I could add a
"ServerInfoFile" directive pretty easily and cleanly, per previous
mail.

Redesigning and reimplementing all of mod_ssl's cert / key handling
around SSLConfCmd is a bigger task than I can handle.  If someone else
is tackling that, I could add a ServerInfoFile command later.

But I still wonder if a ServerInfoFile directive would be worthwhile,
in the meantime.


Trevor

Mime
View raw message