httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaspar Brand <httpd-dev.2...@velox.ch>
Subject Re: Deprecating (and eventually removing) encrypted private key support in mod_ssl?
Date Mon, 18 Nov 2013 17:42:35 GMT
On 18.11.2013 15:38, Dr Stephen Henson wrote:
> Erk typo.. I of course meant "...after you call SSL_CTX_use_certificate_file or
> SSL_CTX_use_certificate_chain_file..."

Yeah this was obvious... makes me cringe as well but here we go:

  https://people.apache.org/~kbrand/mod_ssl_pkey_2013-11-18_wip.patch

(interdiff attached to this message)

For the SSL_CONF_cmd loop, I had to insert a call to
ssl_stapling_init_cert as well - currently I'm testing for the
"Certificate" parameter name being set, but if there's a better way to
figure out if we need to call ssl_stapling_init_cert, I'm all ears.

> Unfortunately due to a limitation in OpenSSL 1.0.1 and earlier you can only have
> one chain for the SSL_CTX shared by all certificate types and all SSL structures
> created from it.
> 
> That means if you have more than one certificate configured and they have
> different chains the second will replace the first in the SSL_CTX and it will
> end up sending the wrong chain in some cases.

Right, that's essentially what the last paragraph of the
SSLCertificateChainFile is stating
(http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatechainfile),
so I wouldn't worry too much about the behavior with releases up to 1.0.1.

> For OpenSSL 1.0.2 this limitation is removed and you can have different chains
> for each certificate type (and for SSL structures too) and it just uses the
> right one. This uses the function SSL_CTX_add1_chain_cert which adds a
> certificate to the chain for the current certificate.
> 
> I *could* change SSL_CTX_use_certificate_chain_file to use
> SSL_CTX_add1_chain_cert instead of SSL_CTX_add_extra_chain_cert or perhaps have
> a different function. I'm always cautious about changing the behaviour of
> existing functions though as the most innocent change will usually break
> *something*, though I can't see how it can in this case.

I would be in favor this change for 1.0.2 - to me that would be more
like a "fix" of SSL_CTX_use_certificate_chain_file than a change in
behavior, actually.

Kaspar

Mime
View raw message