On 02/10/2013 08:35, Kaspar Brand wrote: > > An overhaul of ssl_engine_pphrase.c:ssl_pphrase_Handle() - and its use > of the tVHostKeys and tPublicCert hashes - would probably be welcomed by > quite a few devs, though (see e.g. https://svn.apache.org/r1069765). >
Hmm.. I had a look at ssl_pphrase_Handle and agree with the comment ;-) I'm considering how it might be revised with minimal chance of breakage while permitting arbitrary numbers of certificates and keys. At present the serialised versions of each key and certificate is indexed using "vhost:alg". How about instead having a single one indexed as "vhost"? This could contain all keys and certificates in a single buffer. Keys would be stored in PKCS#8 format to avoid algorithm dependencies. The auto increment feature of the i2d/d2i functions is especially designed to support this. Steve. -- Dr Stephen Henson. OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 +1 877-673-6775 shen...@opensslfoundation.com
