Support of more public key algorithms in mod_ssl

[Victor Wagner <vi...@wagner.pp.ru>]

Current development version of OpenSSL (0.9.9) supports more public
key algorithms than just DSA and RSA.

There is number of Elliptic Curve based ciphersuites (ECDSA
authentication, ECDH key exchange) and recently few ciphersuites based
on Russian national cryptography standards (GOST) are added. 

It is quite possible (if not already planned) that even more various
algorithms would be supported in future.

However, Apache mod_ssl  still explicitely supports only two
certificate/private key pairs to be added into SSL_CTX (while internally 
there can be up to 8 certificates in 0.9.9 and even more when ability to 
load several ECC certificates with different curves would be
implemented).

I've tried to generalize support for public key algorithms in the
apache. My main objective was to support GOST ciphersuites.

GOST algorithms are not included into OpenSSL core. Instead they are
provided by loadable engine module (because they are hardly needed for
users outside Russia). 

When I've tested this configuration I've found following problems

1. Apache calls SSL_library_init function before it loads ENGINE module
   specified by SSLCryptoDevice directive.

   But SSL_library_init fills internal arrays of libssl with pointers to
   EVP_MD and EVP_CIPHER structures, which have pointers to particular
   implementation of digest and symmetric cipher algorithms.
   So, if somebody wants to use engine which implement digest or
   symmetric cipher (i.e. hardware cryptoprocessor which implements AES), 
   it wont be used because implementation of cipher
   would be searched before harware supported one is availible 
 
2. ab utility doesn't have any way to configure OpenSSL library. This
   would probably affect anybody who do not use algorithms implemented
   in the engine only, but fix is quite simple - just call
   OPENSSL_config(NULL) function before SSL_library_init to read
   system-wide openssl configuration file.

Attached patch (made against 2.2.6 release) fixes this problems and
extends number of supported algorthms. Also it does some generalization
of loading keys and certificates into SSL_CTX structure - there is loop
over list of supported algorithms, rather then to explicit calls for RSA
and DSA.

Really, there probably is a  better way for such generalization.
Ideally, Apache should never make assumptions about what types of
private keys and certificates can exist, and just delegate the whole job
to OpenSSL. Version 0.9.9, for instance, contain API to find out name of
algorithm from EVP_PKEY structure.

								Regards, Victor
--

Re: Support of more public key algorithms in mod_ssl

[Dr Stephen Henson <sh...@oss-institute.org>]

Victor Wagner wrote:
>  
> 2. ab utility doesn't have any way to configure OpenSSL library. This
>    would probably affect anybody who do not use algorithms implemented
>    in the engine only, but fix is quite simple - just call
>    OPENSSL_config(NULL) function before SSL_library_init to read
>    system-wide openssl configuration file.
> 

A more generalized version of this is in the patch to Bug 43931 which
adds configuration options for alternative configuration file locations
and sections.

Steve.
-- 
Dr Stephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.co.uk/
Email: shenson@drh-consultancy.co.uk, PGP key: via homepage.