Graham Leggett wrote:
>
> Hi all,
>
> I want to be able to insert the mod_tls filters at the relevant places
> in the proxy so as to support backend TLS to https:// and ftps:// URLs.
> Trouble is, the "sense" of the certificates will be the other way around
> - I would need to specify a set of root certificates instead of a single
> cert/key combination.
>
> Is this the case? Or can I put in a set of root certs where the cert/key
> pairs are?
Sorry for the delay - the intent of mod_tls is to provide filters for
all SSL/TLS use in Apache - however, it is more subtle than you think -
SSL is not symmetric, so several things have to be done differently when
you are using it for a client as opposed to when it is being used as a
server. One thing is the certs, another is the SSL "method" (a thing
that is internal to OpenSSL - chooses client or server and SSL version)
and, of course, the client initiates the connection instead of accepting
an incoming one. mod_tls should provide the functionality for either
direction (much of it is common), but currently doesn't - I'd suggest we
think about this when the (anticipated) flurry of work that's about to
happen dies down, if that's OK with you.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
ApacheCon 2001! http://ApacheCon.com/
