Re: [PATCH 55593] Add "SSLServerInfoFile" directive

Sat, 28 Sep 2013 06:43:32 -0700 

On 27.09.2013 20:58, Trevor Perrin wrote:
> On Fri, Sep 27, 2013 at 9:16 AM, Kaspar Brand <httpd-dev.2...@velox.ch> wrote:
>> It could probably be handled in
>> ssl_engine_config.c:ssl_cmd_SSLOpenSSLConfCmd(), but this would again
>> mean adding specific code for ServerInfoFile.
> 
> If we're adding specific code for ServerInfoFile, would it make more
> sense just to do a separate directive?

I would like to avoid that, as it would mean to extend
modssl_pk_server_t (or some other struct) whenever an additional OpenSSL
feature is added. See also this thread for some background:

https://mail-archives.apache.org/mod_mbox/httpd-dev/201202.mbox/%3C4F2A9A20.7010502%40opensslfoundation.com%3E

>>   Define SR /path/to/server/root/
>>   SSLOpenSSLConfCmd ServerInfoFile ${SR}relative/file/name
> 
> Hmm, are you asking the web admin to define SR?  That doesn't seem
> much easier then just telling them to use the absolute name:
> 
> SSLOpenSSLConfCmd ServerInfoFile /path/to/server/root/relative/file/name

We could do that in the default httpd.conf file, similar to how it was
done with http://svn.apache.org/r1401126 for DocumentRoot.

If the ability to specify relative path names with SSLOpenSSLConfCmd is
considered an absolutely essential feature, then OpenSSL could perhaps
"standardize" its option names somewhat - e.g. by always naming those
which take a file name argument with "...File". We could then handle
such a case in mod_ssl as illustrated by the attached patch.

Kaspar

Index: ssl_engine_config.c
===================================================================
--- ssl_engine_config.c (revision 1527187)
+++ ssl_engine_config.c (working copy)
@@ -1820,9 +1820,15 @@
 const char *ssl_cmd_SSLOpenSSLConfCmd(cmd_parms *cmd, void *dcfg,
                                        const char *arg1, const char *arg2)
 {
-    ssl_ctx_param_t *param;
     SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
-    param = apr_array_push(sc->server->ssl_ctx_param);
+    ssl_ctx_param_t *param = apr_array_push(sc->server->ssl_ctx_param);
+    const char *err;
+
+    if (!strncmp(&arg1[strlen(arg1)-4], "File", 4) &&
+        (err = ssl_cmd_check_file(cmd, &arg2))) {
+       return err;
+    }
+
     param->name = arg1;
     param->value = arg2;
     return NULL;

Reply via email to