You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by zzz <sq...@gmail.com> on 2018/05/13 22:48:52 UTC
modssl_load_engine_keypair() for server
Hello
I noticed this commit recently to mod_ssl by Joe Orton (notroj):
*mod_ssl: Add support for loading TLS certificates through the PKCS#11 *
https://github.com/apache/httpd/commit/9007b62ecc0ad59edb37ec5f267a08868064699c
I am interested in something similar, but for servers (virtualhosts)
instead of Engines (i.e. modssl_load_server_keypair).
Basically my use case is I want to construct (or obtain) an SSL_CTX from
another server for an authorization module - partly to avoid having to deal
directly with loading encrypted certificates myself. Allowing Apache to "do
it's thing" in that regard, and then pinching the loaded keypair/SSL_CTX
from another server_rec saves a lot of hassle, and quite frankly makes it
possible.
So basically I would like to start a discussion of whether a similar
function modssl_load_*server*_keypair() or modssl_load_server_sslctx() is
possible.
Cheers,
Re: modssl_load_engine_keypair() for server
Posted by zzz <sq...@gmail.com>.
Hi Joe, do you know what version of Apache init_server() was introduced? I
am looking at two versions that appear in RHEL6/7 (2.2.15, 2.4.6) and
neither of them have this function, or even the header file mod_ssl_openssl.h.
On a related note, do you know what version of Apache will ship with RHEL8?
Thanks.
On 16 May 2018 at 18:55, Joe Orton <jo...@redhat.com> wrote:
> On Mon, May 14, 2018 at 08:48:52AM +1000, zzz wrote:
> > Basically my use case is I want to construct (or obtain) an SSL_CTX from
> > another server for an authorization module - partly to avoid having to
> deal
> > directly with loading encrypted certificates myself. Allowing Apache to
> "do
> > it's thing" in that regard, and then pinching the loaded keypair/SSL_CTX
> > from another server_rec saves a lot of hassle, and quite frankly makes it
> > possible.
> >
> > So basically I would like to start a discussion of whether a similar
> > function modssl_load_*server*_keypair() or modssl_load_server_sslctx() is
> > possible.
>
> Hiya, have you looked at mod_ssl_openssl.h? The "init_server" optional
> hook might do what you want, you get access to the SSL_CTX * for every
> configured server_rec. Should be simple extract the keypair from there
> using standard OpenSSL API calls, though be careful with refcounting.
>
> Regards, Joe
>
Re: modssl_load_engine_keypair() for server
Posted by zzz <sq...@gmail.com>.
Hi Joe, no I was not particularly aware of init_server() but I will take a
look. Thanks.
On 16 May 2018 at 18:55, Joe Orton <jo...@redhat.com> wrote:
> On Mon, May 14, 2018 at 08:48:52AM +1000, zzz wrote:
> > Basically my use case is I want to construct (or obtain) an SSL_CTX from
> > another server for an authorization module - partly to avoid having to
> deal
> > directly with loading encrypted certificates myself. Allowing Apache to
> "do
> > it's thing" in that regard, and then pinching the loaded keypair/SSL_CTX
> > from another server_rec saves a lot of hassle, and quite frankly makes it
> > possible.
> >
> > So basically I would like to start a discussion of whether a similar
> > function modssl_load_*server*_keypair() or modssl_load_server_sslctx() is
> > possible.
>
> Hiya, have you looked at mod_ssl_openssl.h? The "init_server" optional
> hook might do what you want, you get access to the SSL_CTX * for every
> configured server_rec. Should be simple extract the keypair from there
> using standard OpenSSL API calls, though be careful with refcounting.
>
> Regards, Joe
>
Re: modssl_load_engine_keypair() for server
Posted by Joe Orton <jo...@redhat.com>.
On Mon, May 14, 2018 at 08:48:52AM +1000, zzz wrote:
> Basically my use case is I want to construct (or obtain) an SSL_CTX from
> another server for an authorization module - partly to avoid having to deal
> directly with loading encrypted certificates myself. Allowing Apache to "do
> it's thing" in that regard, and then pinching the loaded keypair/SSL_CTX
> from another server_rec saves a lot of hassle, and quite frankly makes it
> possible.
>
> So basically I would like to start a discussion of whether a similar
> function modssl_load_*server*_keypair() or modssl_load_server_sslctx() is
> possible.
Hiya, have you looked at mod_ssl_openssl.h? The "init_server" optional
hook might do what you want, you get access to the SSL_CTX * for every
configured server_rec. Should be simple extract the keypair from there
using standard OpenSSL API calls, though be careful with refcounting.
Regards, Joe