On Tue, Sep 24, 2013 at 10:39 PM, Kaspar Brand <httpd-dev.2...@velox.ch> wrote: > On 25.09.2013 04:13, Trevor Perrin wrote: >> The feature is checked in to the 1.0.2 branch [1], so we'd like to >> expose it through Apache. >> >> The patch is pretty simple. I suppose more tests or docs might be >> needed (?), which I'm happy to write. >> >> Anyways, is this something Apache is interested it? Does the patch >> look correct? [2] > > I'd very much prefer to see this supported via SSLOpenSSLConfCmd > (http://svn.apache.org/r1421323), and not code this into mod_ssl by > adding yet another directive. For the authz_file / RFC 5878 stuff, I did > some experiments at the time, and am attaching a[n untested] patch for > SSL_CTX_use_serverinfo_file - could you give it a try?
Thanks, I tried that. It doesn't work with filenames relative to the Apache root. The patch I submitted uses ssl_engine_config.c:ssl_cmd_check_file() to map relative to absolute filenames. I'm not sure how you'd do that with SSLOpenSSLConfCmd? (For context: the ServerInfo file is replacing the 5878/authz file, as it's more useful to be able to provide ServerHello extensions, instead of 5878 extensions. I think 5878 is somewhat falling out of favor - or at least I hope so... [1]). Trevor [1] http://www.ietf.org/mail-archive/web/tls/current/msg09913.html