Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id C5F091014F for ; Mon, 18 Nov 2013 14:39:04 +0000 (UTC) Received: (qmail 789 invoked by uid 500); 18 Nov 2013 14:39:03 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 732 invoked by uid 500); 18 Nov 2013 14:39:03 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 724 invoked by uid 99); 18 Nov 2013 14:39:03 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 18 Nov 2013 14:39:03 +0000 X-ASF-Spam-Status: No, hits=0.0 required=5.0 tests=RCVD_IN_DNSWL_NONE,SPF_PASS,T_HK_NAME_DR X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy includes SPF record at spf.trusted-forwarder.org) Received: from [195.8.89.34] (HELO claranet-outbound-smtp01.uk.clara.net) (195.8.89.34) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 18 Nov 2013 14:38:57 +0000 Received: from drh-consultancy.demon.co.uk ([80.177.30.10]:50356 helo=[192.168.7.9]) by relay11.mail.eu.clara.net (relay.clara.net [81.171.239.31]:10465) with esmtpa (authdaemon_plain:drh) id 1ViPyE-0006Aa-4d for dev@httpd.apache.org (return-path ); Mon, 18 Nov 2013 14:38:34 +0000 Message-ID: <528A2668.4020601@opensslfoundation.com> Date: Mon, 18 Nov 2013 14:38:32 +0000 From: Dr Stephen Henson Organization: The OpenSSL Foundation User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.1.0 MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Re: Deprecating (and eventually removing) encrypted private key support in mod_ssl? References: <52838765.8020401@velox.ch> <52838C8F.5020803@opensslfoundation.com> <52846792.1050403@velox.ch> <20131114115430.GA5939@redhat.com> <5288DA3F.1060602@velox.ch> <5288E006.5030707@opensslfoundation.com> In-Reply-To: <5288E006.5030707@opensslfoundation.com> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org On 17/11/2013 15:25, Dr Stephen Henson wrote: > > Evil hack workaround: create a temporary SSL structure from the SSL_CTX of > interest after you call SSL_CTX_get_certificate, call SSL_get_certificate on it > and then free up the temp SSL structure. That *should* work on all the versions > of OpenSSL of interest. That's not very efficient and makes me cringe a bit but > you'd only go through it once on start up. > Erk typo.. I of course meant "...after you call SSL_CTX_use_certificate_file or SSL_CTX_use_certificate_chain_file..." A point to note about SSL_CTX_use_certificate_chain_file, at least in its current form. If the certificate file contains additional certificates this will end up adding them to the SSL_CTX using SSL_CTX_add_extra_chain_cert. That is more efficient as it doesn't have to try and build the chain on each call. Unfortunately due to a limitation in OpenSSL 1.0.1 and earlier you can only have one chain for the SSL_CTX shared by all certificate types and all SSL structures created from it. That means if you have more than one certificate configured and they have different chains the second will replace the first in the SSL_CTX and it will end up sending the wrong chain in some cases. For OpenSSL 1.0.2 this limitation is removed and you can have different chains for each certificate type (and for SSL structures too) and it just uses the right one. This uses the function SSL_CTX_add1_chain_cert which adds a certificate to the chain for the current certificate. I *could* change SSL_CTX_use_certificate_chain_file to use SSL_CTX_add1_chain_cert instead of SSL_CTX_add_extra_chain_cert or perhaps have a different function. I'm always cautious about changing the behaviour of existing functions though as the most innocent change will usually break *something*, though I can't see how it can in this case. Steve. -- Dr Stephen Henson. OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 +1 877-673-6775 shenson@opensslfoundation.com