On Fri, Jan 11, 2008, Victor Duchovni wrote: > On Fri, Jan 11, 2008 at 07:28:00PM +0100, Dr. Stephen Henson wrote: > > > On Fri, Jan 11, 2008, Rodney Thayer wrote: > > > > > > > > I wonder if apache-ssl supports ECC... > > > > > > > Apache currently has algorithm specific code for keys and certificates with > > only RSA and DSA included as standard. That means each new public key > > algorithm needs to be added as a special case. > > Is this a historical accident or deliberate choice? The easy way to > install certs with recent OpenSSL releases is not algorithm dependent... > > /* Import cert */ > if (SSL_CTX_use_certificate_chain_file(ctx, cert_file) <= 0) { > tls_print_errors(); > return (0); > } > /* Import key */ > if (SSL_CTX_use_PrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM) <= 0) { > tls_print_errors(); > return (0); > } > /* Check that key matches cert */ > if (!SSL_CTX_check_private_key(ctx)) > return (0); > return (1); > > Just call this N times (with 0.9.9 N <= 3) for N matching cert/key pairs > for a supported algorithm. Is Apache using an older API? Are they getting > some benefit from using lower-level algorithm-specific code? >
It is using an older API in a number of places. The initial benefit was to perform serialisation of keys but there have been portable ways to do that without serialisation for some time. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]