httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dr Stephen Henson <shen...@opensslfoundation.com>
Subject Re: Deprecating (and eventually removing) encrypted private key support in mod_ssl?
Date Mon, 18 Nov 2013 14:38:32 GMT
On 17/11/2013 15:25, Dr Stephen Henson wrote:
> 
> Evil hack workaround: create a temporary SSL structure from the SSL_CTX of
> interest after you call SSL_CTX_get_certificate, call SSL_get_certificate on it
> and then free up the temp SSL structure. That *should* work on all the versions
> of OpenSSL of interest. That's not very efficient and makes me cringe a bit but
> you'd only go through it once on start up.
> 

Erk typo.. I of course meant "...after you call SSL_CTX_use_certificate_file or
SSL_CTX_use_certificate_chain_file..."

A point to note about SSL_CTX_use_certificate_chain_file, at least in its
current form.

If the certificate file contains additional certificates this will end up adding
them to the SSL_CTX using SSL_CTX_add_extra_chain_cert. That is more efficient
as it doesn't have to try and build the chain on each call.

Unfortunately due to a limitation in OpenSSL 1.0.1 and earlier you can only have
one chain for the SSL_CTX shared by all certificate types and all SSL structures
created from it.

That means if you have more than one certificate configured and they have
different chains the second will replace the first in the SSL_CTX and it will
end up sending the wrong chain in some cases.

For OpenSSL 1.0.2 this limitation is removed and you can have different chains
for each certificate type (and for SSL structures too) and it just uses the
right one. This uses the function SSL_CTX_add1_chain_cert which adds a
certificate to the chain for the current certificate.

I *could* change SSL_CTX_use_certificate_chain_file to use
SSL_CTX_add1_chain_cert instead of SSL_CTX_add_extra_chain_cert or perhaps have
a different function. I'm always cautious about changing the behaviour of
existing functions though as the most innocent change will usually break
*something*, though I can't see how it can in this case.

Steve.
-- 
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shenson@opensslfoundation.com

Mime
View raw message