On Thu, Jun 24, 1999, Matthias Loepfe wrote:
> [...]
> > Hmmm... the client handling should be done on-the-fly. But perhaps the
> > loading is already broken. You can find it in functions
> > SSL_CA_load_certs_file() and SSL_CA_load_certs_path() in ssl_util_ssl.c. The
> > on-the-fly handling is done by ssl_ext_mp_clientcert_cb() in ssl_engine_ext.c.
> > You can debug this by adding some ssl_log() calls to this function.
> > Perhaps no CA matches the client certs.
>
> I already stept through the code with the debugger before I sent the last
> mail. To me it looks as if the whole code for the loading of the private keys
> is missing.
>
> I think the name of the function which loads the certs
> 'SSL_CA_load_certs_file()' is strange (probably legacy). The 'CA' means for me
> it was written to load CA certs for which we never have to load a private key.
> The other thing is that if you load a file with multiple certs in it how can
> you easily assign and find the private keys. I expect for this usage that
> each file MUST contain the cert and the private key and only that.
Hmmm... SSL_CA_load_certs_file() calls PEM_X509_INFO_read_bio() and this is
aware of both X509 certs and private keys. One actually gets back a stack of
info structures which contain both certs and keys. So the code it correct, but
the function names are bugus, of course. But you're right. This silently
assumes that first the certs and keys are bundled together into the same file
and second that the keys are all unencrypted.
> As the private keys are normaly encrypted I think we should add these certs and
> keys to the 'szPublicCertFile' and 'szPrivateKeyFile' arrays so that they get
> handled by the 'ssl_pphrase_Handle' function.
>
> What do you think?
Hmmm... yes, I think Strongholds old assumptions are too unrealistic. We
should allow these client keys to be encrypted. And you're right, for these
we've to pre-process the proxy stuff already at startup so they are handled by
the pass phrase dialog.
I think let us do the things step by step. First try to put certs and
unecnrypted keys into own files to let the proxy stuff work the first time.
Then we can add the support for encrypted keys be pre-processing the proxy
configuration at startup.
Thank you again for helping me out making this stuff working. It's very
interesting stuff which should go into mod_ssl 2.4 in a useable fashion. Sorry
that I've not time to work on this currently. That's why I'm very happy that
you help out.
Greetings,
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
