On 01/10/2013 05:53, Trevor Perrin wrote: > On Sun, Sep 29, 2013 at 1:06 AM, Kaspar Brand <httpd-dev.2...@velox.ch> wrote: >> On 28.09.2013 18:34, Dr Stephen Henson wrote: >>> How about something like: >>> >>> int SSL_CONF_cmd_type(SSL_CONF_CTX *cctx, const char *cmd); >>> >>> which can return things like... >>> >>> SSL_CONF_TYPE_INVALID: unrecognised name. >>> SSL_CONF_TYPE_FILE: file name. >>> SSL_CONF_TYPE_DIR: directory name. >>> ... others ... >>> SSL_CONF_TYPE_STR: string with no special meaning. >> >> Sounds good, yes. > > Sounds fine to me. But another wrinkle is occurring to me: > > We're going to need different ServerInfo files for different certs > (since things like Certificate Transparency and TACK will return > different data depending on the server's cert/key). > > The OpenSSL code was written on the assumption of one ServerInfo file > per SSL_CTX, so will need a bit of rework. But it's worth discussing > what the API should be. > > There are currently 8 possible key/cert types in OpenSSL (ssl/ssl_locl.h): > """ > #define SSL_PKEY_RSA_ENC 0 > #define SSL_PKEY_RSA_SIGN 1 > #define SSL_PKEY_DSA_SIGN 2 > #define SSL_PKEY_DH_RSA 3 > #define SSL_PKEY_DH_DSA 4 > #define SSL_PKEY_ECC 5 > #define SSL_PKEY_GOST94 6 > #define SSL_PKEY_GOST01 7 > """ > > I think we'd rather not try to embed OIDs or whatever in the > ServerInfo files. Perhaps the ServerInfoFile ConfCmd could be > annotated to refer to these identifiers somehow? > > > SSLOpenSSLConfCmd ServerInfoFile_RSA_ENC certs/ServerInfo1.pem > SSLOpenSSLConfCmd ServerInfoFile_RSA_SIGN certs/ServerInfo2.pem > > - or - > > SSLOpenSSLConfCmd ServerInfoFile 0 certs/ServerInfo1.pem > SSLOpenSSLConfCmd ServerInfoFile 1 certs/ServerInfo2.pem > > > Any thoughts?? >
I'd rather we didn't do that for reasons I'll expand on below. OpenSSL has the concept of the "current certificate". That is the last certificate set. So you set certificate "foo" and then any parameters you set are associated with it until another certificate is set. For OpenSSL 1.0.2 you can set custom chains for each certificate type for example. You couldn't do that before 1.0.2. So ServerInfo would really need an option to set at the SSL_CTX or the SSL level in OpenSSL as you can set different certificates for each SSL structure. It would use the current certificate at the SSL_CTX or SSL level to decide which is affected. That's just OpenSSL internals though. To handle ServerInfo properly in mod_ssl IMHO you would need a new directive as there's no support for per-certificate SSL_CONF commands: it wasn't intended to be used like that in its current form. This also runs against what IMHO is a long standing historical problem with the way mod_ssl handles certificates: it hard codes the algorithms used in the source. That means every new algorithm needs mod_ssl code changes to support: ECC for example. Ideally it should be able to send an arbitrary number of certificates and keys to OpenSSL and let it decide what to do with them. Steve. -- Dr Stephen Henson. OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 +1 877-673-6775 shen...@opensslfoundation.com
