On 25.09.2013 04:13, Trevor Perrin wrote:
> The feature is checked in to the 1.0.2 branch [1], so we'd like to
> expose it through Apache.
>
> The patch is pretty simple. I suppose more tests or docs might be
> needed (?), which I'm happy to write.
>
> Anyways, is this something Apache is interested it? Does the patch
> look correct? [2]
I'd very much prefer to see this supported via SSLOpenSSLConfCmd
(http://svn.apache.org/r1421323), and not code this into mod_ssl by
adding yet another directive. For the authz_file / RFC 5878 stuff, I did
some experiments at the time, and am attaching a[n untested] patch for
SSL_CTX_use_serverinfo_file - could you give it a try?
Depending on when exactly you need the SSL_CTX_use_serverinfo_file to
happen in ssl_engine_init.c, we might have to move around the #ifdef
HAVE_SSL_CONF_CMD block somewhat, but this shouldn't be a real issue
(for authz_file, it was necessary/doable).
Kaspar
diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c
index 1f4c4dd..2c0e356 100644
--- a/ssl/ssl_conf.c
+++ b/ssl/ssl_conf.c
@@ -365,6 +365,14 @@ static int cmd_options(SSL_CONF_CTX *cctx, const char
*value)
return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx);
}
+static int cmd_serverinfo_file(SSL_CONF_CTX *cctx, const char *value)
+ {
+ int rv = 1;
+ if (cctx->ctx)
+ rv = SSL_CTX_use_serverinfo_file(cctx->ctx, value);
+ return rv > 0;
+ }
+
typedef struct
{
int (*cmd)(SSL_CONF_CTX *cctx, const char *value);
@@ -372,7 +380,7 @@ typedef struct
const char *str_cmdline;
} ssl_conf_cmd_tbl;
-/* Table of supported patameters */
+/* Table of supported parameters */
static ssl_conf_cmd_tbl ssl_conf_cmds[] = {
{cmd_sigalgs, "SignatureAlgorithms", "sigalgs"},
@@ -384,6 +392,7 @@ static ssl_conf_cmd_tbl ssl_conf_cmds[] = {
{cmd_cipher_list, "CipherString", "cipher"},
{cmd_protocol, "Protocol", NULL},
{cmd_options, "Options", NULL},
+ {cmd_serverinfo_file, "ServerInfoFile", NULL},
};
int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value)
