Victor Wagner wrote: > On 2007.12.20 at 16:55:43 +0000, Dr Stephen Henson wrote: > > >>> And most of OpenSSL applications have same problem. I've already spend >>> considerable time convincing authors of various applications, that >>> OPENSSL_config (which is already here from 0.9.7) ought to be called. >>> >> And mod_ssl is one such application. I've submitted a patch that does >> this properly in Bug #43931. > > I think that mod_ssl (as well as stunnel and openvpn) have good reasons > to be considered an exception from the rule "Every OpenSSL application > should read site-wide openssl.cnf". > > Reason 1. It has its own sophisticated configuration, so nothing prevent > it from configuring everything from its own configuration file. And > configuration would be kept in one place. > > Reason 2. It is an application, concerning primarily with cryptography > and security. If we talk about some client application such as > openssl-based web browser or mail client, users pay very small attention > to cryptography related settings in their configs unless things are > broken really badly. System administrator of HTTPS server would pay > attention to such things, otherwise why he got into trouble installing > mod_ssl at all. > > Reason 3. It is server application. So, there are two main use cases: > 1. We have a machine destinated to serve web pages. In this case > site-wide openssl.cnf can be tuned to the needs of mod_ssl. But it just > means splitting server configuration into two files with different > syntax. > > 2. We have a multipurpose machine, say multiuser host with interactive > users which also serves as small intranet server. In this case > openssl.cnf would probably be tuned to the needs of interactive users, > because they run many different ssl-enabled client programs. And > openssl.cnf is only place where common configuration for this programs > can be kept. Apache, quite probably would have different requirements > for OpenSSL configuration. So, server administrator would have to write > separate openssl.cnf for web server. And we fall back to the case 1 - > have two files with different syntax where one would suffice. >
It's for some of those reasons that #43931 doesn't just call OPENSSL_config(). It can specify alternate configuration file locations and alternate configuration sections so mod_ssl wouldn't have to use any system wide openssl.cnf: it can use an Apache specific files and/or sections. The configuration file syntax and use of multiple configuration files is an issue. As you point out the openssl.cnf format isn't the same as Apache. If a method is written the NCONF API can use any appropriate configuration file format. It might, for example, be possible to embed OpenSSL configuration options inside a mod_ssl configuration file using its configuration format. I didn't do this in the patch for #43931 for several reasons. One was to keep the patch as simple as possible initially. There is a separate syntax issue. Should all OpenSSL applications configuration files use the same format or should some use a format more appropriate to the individual application? I can see arguments for both options. I also couldn't determine if the Apache configuration file API could be used in this way. I'd appreciate any pointers on this if it is felt best to use the Apache configuration file format. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage.
