On 11/10/2013 05:14, Kaspar Brand wrote: > On 09.10.2013 15:52, Dr Stephen Henson wrote: >> It's tempting to just add a directive but after some thought I think >> expanding >> Apache SSL_CONF handling is the way to go. This would add some future >> proofing >> so we don't have to go through this all again in future. > > Yes, please. Let's not perpetuate the pattern of adding another > directive to mod_ssl whenever a new OpenSSL feature needs to be exposed. > > As an interim step, and sort of a proof of concept, it might be > worthwile to see if adding equivalents of SSLCertificateFile and > SSLCertificateKeyFile to SSLOpenSSLConfCmd (in ssl/ssl_conf.c, at the > OpenSSL end) would allow support for per-cert options. The concept of > collecting the options in ssl_cmd_SSLOpenSSLConfCmd and replying them at > the appropriate place in ssl_engine_init.c would remain, and you would > use something like > > <VirtualHost ...> > OpenSSLConfCmd KeyFile foo.key > OpenSSLConfCmd CertificateFile foo.crt > OpenSSLConfCmd ServerInfoFile foo.pem > OpenSSLConfCmd KeyFile bar.key > OpenSSLConfCmd CertificateFile bar.crt > OpenSSLConfCmd ServerInfoFile bar.pem > </VirtualHost> > > to configure multiple cert and "current-cert" settings in turn (and not > worry about the case of encrypted private keys, for the time being). > "KeyFile" would result in calling SSL_CTX_use_PrivateKey_file(), and > "CertificateFile" in SSL_CTX_use_certificate_chain_file(). >
I had considered some equivalents of "CertificateFile" for the SSL_CONF API and definitely intend that for a future version of SSL_CONF. The idea of being able to have OpenSSL handle the often complex issue of certificate and key configuration properly and releave the burden from applications is rather compelling. However I felt it needed rather more thought as it's a complex issue. I'd like to handle all sorts of things like HSM keys, PKCS#12 files etc etc. I also have to mention that I wasn't at all sure this would work with Apache's rather curious configuration needs. As an experimental feature to test the "current-cert" handling it would be easy enough though. [BTW: also on the list for SSL_CONF is certificate verification: but that's considerably harder] IMHO though there needs to be a way to be able to tie a directive to a certificate in mod_ssl anyway though. I'm surprised no one has needed to do that before. > ssl_engine_init.c:ssl_init_server_ctx() is most likely the appropriate > place for inserting this (i.e., it's perhaps best to move the current > SSL_CONF_CMD block from the end of ssl_init_ctx_protocol() to somewhere > in ssl_init_server_ctx(), maybe some tweaks are needed for > ssl_init_server_certs(), too). What I would try to avoid right now is > fiddling with the tPublicCert, tVHostKey and tPrivateKey hashes (and the > ssl_asn1_table_* friends). > Well moving the SSL_CONF_CMD block does have some consequences. I placed it at (what I think is) the last possible point for a reason: so the SSL_CONF could reset just about anything set by Apache. I think at least some twiddling with ssl_pphrase_Handle() would be needed because Apache will (I think) choke if you have no certificates configured. It might be an idea to support certificateless servers anyway as someone might want one with anon-DH or PSK.. though I don't think PSK is currently supported: yes even as I typed that I wondered if that could be fixed through SSL_CONF. Steve. -- Dr Stephen Henson. OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 +1 877-673-6775 shen...@opensslfoundation.com
