On 11/10/2013 05:14, Kaspar Brand wrote:
On 09.10.2013 15:52, Dr Stephen Henson wrote:
It's tempting to just add a directive but after some thought I think
expanding
Apache SSL_CONF handling is the way to go. This would add some future
proofing
so we don't have to go through this all again in future.
Yes, please. Let's not perpetuate the pattern of adding another
directive to mod_ssl whenever a new OpenSSL feature needs to be exposed.
As an interim step, and sort of a proof of concept, it might be
worthwile to see if adding equivalents of SSLCertificateFile and
SSLCertificateKeyFile to SSLOpenSSLConfCmd (in ssl/ssl_conf.c, at the
OpenSSL end) would allow support for per-cert options. The concept of
collecting the options in ssl_cmd_SSLOpenSSLConfCmd and replying them at
the appropriate place in ssl_engine_init.c would remain, and you would
use something like
VirtualHost ...
OpenSSLConfCmd KeyFile foo.key
OpenSSLConfCmd CertificateFile foo.crt
OpenSSLConfCmd ServerInfoFile foo.pem
OpenSSLConfCmd KeyFile bar.key
OpenSSLConfCmd CertificateFile bar.crt
OpenSSLConfCmd ServerInfoFile bar.pem
/VirtualHost
to configure multiple cert and current-cert settings in turn (and not
worry about the case of encrypted private keys, for the time being).
KeyFile would result in calling SSL_CTX_use_PrivateKey_file(), and
CertificateFile in SSL_CTX_use_certificate_chain_file().
I had considered some equivalents of CertificateFile for the SSL_CONF API and
definitely intend that for a future version of SSL_CONF.
The idea of being able to have OpenSSL handle the often complex issue of
certificate and key configuration properly and releave the burden from
applications is rather compelling.
However I felt it needed rather more thought as it's a complex issue. I'd like
to handle all sorts of things like HSM keys, PKCS#12 files etc etc. I also have
to mention that I wasn't at all sure this would work with Apache's rather
curious configuration needs.
As an experimental feature to test the current-cert handling it would be easy
enough though.
[BTW: also on the list for SSL_CONF is certificate verification: but that's
considerably harder]
IMHO though there needs to be a way to be able to tie a directive to a
certificate in mod_ssl anyway though. I'm surprised no one has needed to do that
before.
ssl_engine_init.c:ssl_init_server_ctx() is most likely the appropriate
place for inserting this (i.e., it's perhaps best to move the current
SSL_CONF_CMD block from the end of ssl_init_ctx_protocol() to somewhere
in ssl_init_server_ctx(), maybe some tweaks are needed for
ssl_init_server_certs(), too). What I would try to avoid right now is
fiddling with the tPublicCert, tVHostKey and tPrivateKey hashes (and the
ssl_asn1_table_* friends).
Well moving the SSL_CONF_CMD block does have some consequences. I placed it at
(what I think is) the last possible point for a reason: so the SSL_CONF could
reset just about anything set by Apache.
I think at least some twiddling with ssl_pphrase_Handle() would be needed
because Apache will (I think) choke if you have no certificates configured.
It might be an idea to support certificateless servers anyway as someone might
want one with anon-DH or PSK.. though I don't think PSK is currently supported:
yes even as I typed that I wondered if that could be fixed through SSL_CONF.
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shen...@opensslfoundation.com