On Tue, Oct 1, 2013 at 3:15 AM, Dr Stephen Henson < shen...@opensslfoundation.com> wrote:
> > OpenSSL has the concept of the "current certificate". That is the last > certificate set. So you set certificate "foo" and then any parameters you > set > are associated with it until another certificate is set. For OpenSSL 1.0.2 > you > can set custom chains for each certificate type for example. You couldn't > do > that before 1.0.2. > > So ServerInfo would really need an option to set at the SSL_CTX or the SSL > level > in OpenSSL as you can set different certificates for each SSL structure. It > would use the current certificate at the SSL_CTX or SSL level to decide > which is > affected. > OK. So the OpenSSL 1.0.2 code may already be doing the right thing - it actually *is* storing the ServerInfo based on the "current certificate", ie in SSL_CTX.pkeys[current].serverinfo. > That's just OpenSSL internals though. To handle ServerInfo properly in > mod_ssl > IMHO you would need a new directive as there's no support for > per-certificate > SSL_CONF commands: it wasn't intended to be used like that in its current > form. > OK, in light of this new info, what do you think of my original patch? https://issues.apache.org/bugzilla/show_bug.cgi?id=55593 I presume something like the following should work in httpd-ssl.conf? - .... SSLCertificateFile "certs/cert1.pem" SSLCertificateKeyFile "certs/key1.pem" SSLCertificateChainFile "certs/intermed1.pem" SSLServerInfoFile "certs/E1.pem" SSLCertificateFile "certs/cert2.pem" SSLCertificateKeyFile "certs/key2.pem" SSLCertificateChainFile "certs/intermed2.pem" SSLServerInfoFile "certs/E2.pem" ... (I haven't yet tested with different cert types...) Trevor
