[request] public API to SSL_CTX from mod_ssl

[zzz <sq...@gmail.com>]

I am prototyping an Apache module that performs certain security compliance
checks, one aspect of which requires access to the SSL_CTX that mod_ssl
creates for an SSL enabled server.

Access to that object is currently through the SSLSrvConfigRec->server
and modssl_ctx_t->ssl_ctx structures, which works well but I would like to
avoid directly accessing these private structures if possible.

It would be nice if the public API of mod_ssl (perhaps exposed in
ssl_util_ssl.h) defined a function such as:

/* please be a function not a macro! */
SSL_CTX *sslctx_from_server(server_rec *s)
{
        SSLSrvConfigRec *sc = mySrvConfig(s);

        if (sc && sc->enabled > 0) {
            return sc->server->ssl_ctx;
        }
        return NULL;
}

Of course if there is a better way to go about it glad to hear it!

Thanks.

Re: [request] public API to SSL_CTX from mod_ssl

[zzz <sq...@gmail.com>]

On 22 March 2017 at 10:26, William A Rowe Jr <wr...@rowe-clan.net> wrote:

> On Tue, Mar 21, 2017 at 6:08 PM, zzz <sq...@gmail.com> wrote:
> > I am prototyping an Apache module that performs certain security
> compliance
> > checks, one aspect of which requires access to the SSL_CTX that mod_ssl
> > creates for an SSL enabled server.
> >
> > Access to that object is currently through the SSLSrvConfigRec->server
> and
> > modssl_ctx_t->ssl_ctx structures, which works well but I would like to
> avoid
> > directly accessing these private structures if possible.
> >
> > It would be nice if the public API of mod_ssl (perhaps exposed in
> > ssl_util_ssl.h) defined a function such as:
> >
> > /* please be a function not a macro! */
> > SSL_CTX *sslctx_from_server(server_rec *s)
> > {
> >         SSLSrvConfigRec *sc = mySrvConfig(s);
> >         if (sc && sc->enabled > 0) {
> >             return sc->server->ssl_ctx;
> >         }
> >         return NULL;
> > }
> >
> > Of course if there is a better way to go about it glad to hear it!
>
> Because our design model allows us to substitute at-will the underlying
> providers, that is not likely to become public.
>
> Perhaps an accessor fn to return the ctx or not, but that would have to
> be scoped by the version of OpenSSL which mod_ssl is compiled against.
> It isn't enough to know that it is OpenSSL vs LibreSSL vs NSSAPI or
> whatever... you also have a revisioned ssl context structure.
>
> So diving into the private values is fine, if you know exactly what you
> are doing (e.g. you built the OpenSSL dependency too)... otherwise
> it's necessary for us to express a new API to get a reversioned ctx
> pointer with enough information to know what is at the end of that
> pointer.
>


That is a good point. I guess any function like this would be "user beware"
and expects any caller to know what to expect in the rv and what to do with
it. Although when you are targeting a stable platform like RHEL you can
make some fairly safe assumptions.

My main issue is just with the potential private structures to change
beneath me, leading to access violations if the offsets change.

Even a new *private* API in ssl_private.h that encapsulated the offsets
like the above function does would be great.

If not, I guess I will just have to be vigilant about upstream changes,
maybe by watching Fedora. I know there is a change in trunk that would
affect it, but it looks slated for 2.6/3 or whatever.

Re: [request] public API to SSL_CTX from mod_ssl

[William A Rowe Jr <wr...@rowe-clan.net>]

On Tue, Mar 21, 2017 at 6:08 PM, zzz <sq...@gmail.com> wrote:
> I am prototyping an Apache module that performs certain security compliance
> checks, one aspect of which requires access to the SSL_CTX that mod_ssl
> creates for an SSL enabled server.
>
> Access to that object is currently through the SSLSrvConfigRec->server and
> modssl_ctx_t->ssl_ctx structures, which works well but I would like to avoid
> directly accessing these private structures if possible.
>
> It would be nice if the public API of mod_ssl (perhaps exposed in
> ssl_util_ssl.h) defined a function such as:
>
> /* please be a function not a macro! */
> SSL_CTX *sslctx_from_server(server_rec *s)
> {
>         SSLSrvConfigRec *sc = mySrvConfig(s);
>         if (sc && sc->enabled > 0) {
>             return sc->server->ssl_ctx;
>         }
>         return NULL;
> }
>
> Of course if there is a better way to go about it glad to hear it!

Because our design model allows us to substitute at-will the underlying
providers, that is not likely to become public.

Perhaps an accessor fn to return the ctx or not, but that would have to
be scoped by the version of OpenSSL which mod_ssl is compiled against.
It isn't enough to know that it is OpenSSL vs LibreSSL vs NSSAPI or
whatever... you also have a revisioned ssl context structure.

So diving into the private values is fine, if you know exactly what you
are doing (e.g. you built the OpenSSL dependency too)... otherwise
it's necessary for us to express a new API to get a reversioned ctx
pointer with enough information to know what is at the end of that
pointer.