Hi Kaspar, Stephen, So I think where things stand is that the OpenSSL 1.0.2 branch is capable of handling ServerInfo on a per-algorithm basis, but it's not clear how to expose this through Apache.
(My previous email was naive, I was thinking maybe Stephen was saying the "current certificate" / "current key" concept was already exposed through to Apache, but I don't think it is). So is there some way I could implement mod_ssl support for ServerInfo without a major rewrite of how mod_ssl handles certs and keys? (which some of the previous suggestions seemed to entail...) Trevor On Thu, Oct 3, 2013 at 3:37 PM, Trevor Perrin <tr...@trevp.net> wrote: > > > On Tue, Oct 1, 2013 at 3:15 AM, Dr Stephen Henson > <shen...@opensslfoundation.com> wrote: >> >> >> OpenSSL has the concept of the "current certificate". That is the last >> certificate set. So you set certificate "foo" and then any parameters you >> set >> are associated with it until another certificate is set. For OpenSSL 1.0.2 >> you >> can set custom chains for each certificate type for example. You couldn't >> do >> that before 1.0.2. >> >> So ServerInfo would really need an option to set at the SSL_CTX or the SSL >> level >> in OpenSSL as you can set different certificates for each SSL structure. >> It >> would use the current certificate at the SSL_CTX or SSL level to decide >> which is >> affected. > > > OK. So the OpenSSL 1.0.2 code may already be doing the right thing - it > actually *is* storing the ServerInfo based on the "current certificate", ie > in SSL_CTX.pkeys[current].serverinfo. > > >> >> That's just OpenSSL internals though. To handle ServerInfo properly in >> mod_ssl >> IMHO you would need a new directive as there's no support for >> per-certificate >> SSL_CONF commands: it wasn't intended to be used like that in its current >> form. > > > OK, in light of this new info, what do you think of my original patch? > > https://issues.apache.org/bugzilla/show_bug.cgi?id=55593 > > I presume something like the following should work in httpd-ssl.conf? - > > .... > SSLCertificateFile "certs/cert1.pem" > SSLCertificateKeyFile "certs/key1.pem" > SSLCertificateChainFile "certs/intermed1.pem" > SSLServerInfoFile "certs/E1.pem" > > SSLCertificateFile "certs/cert2.pem" > SSLCertificateKeyFile "certs/key2.pem" > SSLCertificateChainFile "certs/intermed2.pem" > SSLServerInfoFile "certs/E2.pem" > ... > > (I haven't yet tested with different cert types...) > > > Trevor >
