On Sun, Oct 13, 2013 at 2:24 AM, Kaspar Brand <httpd-dev.2...@velox.ch> wrote: > On 13.10.2013 00:43, Trevor Perrin wrote: >> >> But maybe the easiest way to handle this is to create another hash >> table like tPublicCert (e.g. tServerInfoFile or tSSLConfCmd). >> >> This table could be populated in ssl_pphrase_Handle at the same time >> that the tPublicCert table is populated, and read in >> ssl_server_import_certs()? > > Please not... as the comment in ssl_private.h already says, "This should > really be fixed using a smaller structure". > > As a proof of concept (or proof of my theory, if you like), I'm > attaching a patch which completely does without the whole > ssl_pphrase_Handle dance (with the limitation of not supporting > encrypted key files, currently).
Hi Kaspar, I looked at your patch. Besides lack of passphrase-handling, it breaks compatibility with existing config files (which assume certs/keys are matched by type, not order). Also, I don't see an obvious way to interleave SSL_CONF ServerInfoFile commands. > Provided that OpenSSL adds support for KeyFile and CertificateFile to > SSL_CONF, you could simply replace the > SSL_CTX_use_certificate_chain_file()/SSL_CTX_use_PrivateKey_file() calls > with a replay of the whole SSL_CONF_CMD stanza, including ServerInfoFile. That would work, but someone would have to rewrite all the passphrase-handling code, and users would have to switch to a new set of commands for working with certs / keys. Seems like a lot of work. For example, how would the generic SSLConfCmd commands get hooked-up with passphrase handling for the key files? >> Perhaps I could just do a directive for now, and let all this be swept >> into a big redesign later? > > It depends on what your goal is. If it's a patch for your own needs, > then that's fine, but I'm clearly not in support of adding this to the > mod_ssl tree (not to trunk, but even less as a backport to 2.4.x). I'd like to get ServerInfo support into mod_ssl. I could add a "ServerInfoFile" directive pretty easily and cleanly, per previous mail. Redesigning and reimplementing all of mod_ssl's cert / key handling around SSLConfCmd is a bigger task than I can handle. If someone else is tackling that, I could add a ServerInfoFile command later. But I still wonder if a ServerInfoFile directive would be worthwhile, in the meantime. Trevor