On 01.10.2013 12:15, Dr Stephen Henson wrote: > That's just OpenSSL internals though. To handle ServerInfo properly in mod_ssl > IMHO you would need a new directive as there's no support for per-certificate > SSL_CONF commands: it wasn't intended to be used like that in its current > form. > > This also runs against what IMHO is a long standing historical problem with > the > way mod_ssl handles certificates: it hard codes the algorithms used in the > source. That means every new algorithm needs mod_ssl code changes to support: > ECC for example.
True. I guess it's a side effect of keeping private key pass phrases in the global SSLModConfigRec. From ssl_private.h: > /* BIG FAT WARNING: SSLModConfigRec has unusual memory lifetime: it is > * allocated out of the "process" pool and only a single such > * structure is created and used for the lifetime of the process. [...] > * This odd lifetime strategy is used so that encrypted private keys > * can be decrypted once at startup and continue to be used across > * subsequent server reloads where the interactive password prompt is > * not possible. [...] > * This should really be fixed using a smaller structure which only > * stores that which is absolutely necessary (the private keys, maybe > * the random seed), and have that structure be strictly ABI-versioned > * for safety. Whether the latter is doable without breaking backward config compatibility (in particular for the SSLCertificate*File directives) needs further examination, I guess. An overhaul of ssl_engine_pphrase.c:ssl_pphrase_Handle() - and its use of the tVHostKeys and tPublicCert hashes - would probably be welcomed by quite a few devs, though (see e.g. https://svn.apache.org/r1069765). > Ideally it should be able to send an arbitrary number of > certificates and keys to OpenSSL and let it decide what to do with them. Agreed. I would also like to see SSL_CTX_use_certificate_chain_file being used instead of SSL_CTX_use_certificate, SSL_CTX_use_certificate_chain and the SSL_read_X509 OpenSSL low-level stuff mod_ssl currently has in ssl_util_ssl.c. Kaspar