Re: [PATCH] ssl->cert->xx_tmp_xx stuff lost

Wed, 24 Feb 1999 13:06:46 -0500 

Ralf S. Engelschall wrote:
> 
> In article <[EMAIL PROTECTED]> you wrote:
> > Ralf S. Engelschall wrote:
> >> In short, this (the s_server approach) works:
> >>
> >>     ctx = SSL_CTX_new();
> >>     SSL_CTX_set_tmp_rsa_callback(ctx, ...);
> >>     SSL_CTX_use_certificate(ctx, ...);
> >>     ssl = SSL_new();
> >>     /* now ssl->cert contains the callbacks for the RSA temp key */
> >>
> >> while this (the mod_ssl approach) fails:
> >>
> >>     ctx = SSL_CTX_new();
> >>     SSL_CTX_set_tmp_rsa_callback(ctx, ...);
> >>     ssl = SSL_new();
> >>     SSL_use_certificate(ctx, ...);
> 
> > Surely this is:
> >   SSL_use_certificate(ssl,...);
> 
> Yes, sorry: cut & paste.
> 
> > and there's the point - if you want to use the cert from the context,
> > then don't set one on the session. If you set one on the session, its
> > _wrong_ to copy the temp key from the context.
> 
> Why? The context's purpose is to provide _defaults_ and so
> it seems reasonable to me that the temp keys are considered
> as defaults and preserved.

The temp key is a property of the cert, not the context. Set a new cert,
you have to set a new temp key. Perhaps the real problem is that the
functions should operate on certs and not session or contexts?

> 
> > What you really want is the corresponding tmp_{rsa,dh} functions, i.e.:
> 
> > void SSL_set_tmp_rsa(SSL *ssl,RSA *rsa);
> 
> > and so on.
> 
> Yes, I've thought about this, too. This is a possible alternative.  Actually I
> think we should provide both functionalities: preserved defaults and a way to
> explicitly set the stuff on a per connection basis. More opinions?

I don't think we should encourage weakening of security. The temp keys
are only there to weaken it in the first place, so spreading them around
more is a Bad Thing, IMO (this is why I decided in the end to not
pre-generate the temp keys in Apache-SSL - must update that comment).

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html

"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
     - Indira Gandhi
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to