You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Kaspar Brand <ht...@velox.ch> on 2011/12/22 11:59:26 UTC
mod_ssl and OPENSSL_NO_SSL_INTERN (Re: mod_ssl in trunk with OpenSSL
0.9.7 as a minimum requirement?)
On 05.08.2011 07:41, Kaspar Brand wrote:
> On 03.08.2011 19:29, Dr Stephen Henson wrote:
>> In OpenSSL 1.0.1 (unreleased) and later there is a feature to make all SSL
>> related structures opaque and only allow them to be accessed through functions.
>> This is enabled by setting OPENSSL_NO_SSL_INTERN before including any OpenSSL
>> headers.
>
> Thanks for this information, this definitely seems a desirable goal for
> mod_ssl in the long term (pity it wasn't added to OpenSSL earlier).
Ok, so now that OpenSSL 1.0.1 doesn't seem too far away, I had a closer
look. With trunk/2.4.x, things are already in pretty good shape, I think.
> I haven't had time to try getting mod_ssl to work with this option. It is
> guaranteed to fail without some modification. There may well be some
> functionality missing in OpenSSL too.
For mod_ssl, after some tweaking, two things are basically missing with
the current 1.0.1 snapshots:
1) access to the SSL_CTX's "extra_certs". Currently there's only
SSL_CTX_add_extra_chain_cert(), but no way to get at the currently
configured stack of certs, and no option to clear that stack. mod_ssl
needs this for ssl_util_stapling.c:stapling_get_issuer(),
ssl_engine_init.c:ssl_init_ctx_pkcs7_cert_chain(), and
ssl_util_ssl.c:SSL_CTX_use_certificate_chain().
2) access to the SSL_SESSION's "compress_meth" (read-only). Used in
ssl_engine_vars.c:ssl_var_lookup_ssl_compress_meth().
Is there a chance to add these for the initial 1.0.1 release?
Kaspar
Re: mod_ssl and OPENSSL_NO_SSL_INTERN (Re: mod_ssl in trunk with
OpenSSL 0.9.7 as a minimum requirement?)
Posted by Kaspar Brand <ht...@velox.ch>.
On 23.12.2011 18:13, Dr Stephen Henson wrote:
> Your patch to trunk/2.4.x looks fine. You can simplify the clearing of the extra
> chain slightly by just unconditionally calling: [...]
Thanks, patch adapted and committed in r1222917 and r1222920, respectively.
Kaspar
Re: mod_ssl and OPENSSL_NO_SSL_INTERN (Re: mod_ssl in trunk with
OpenSSL 0.9.7 as a minimum requirement?)
Posted by Dr Stephen Henson <sh...@opensslfoundation.com>.
On 23/12/2011 07:52, Kaspar Brand wrote:
> On 22.12.2011 17:53, Dr Stephen Henson wrote:
>> I've added a few new controls and one new function which should resolve this,
>> see last few commits.
>>
>> I deleted a couple of functions duplicating functionality too.
>>
>> Let me know if you need further details or it needs fixing.
>
> Thanks for the very prompt reaction. With the attached changes to ssl.h,
> works fine for me. If you agree with these, my plan would be to commit
> the attached patch to trunk/2.4.x. Comments welcome.
>
OK, thanks. I've fixed the two typos now.
Your patch to trunk/2.4.x looks fine. You can simplify the clearing of the extra
chain slightly by just unconditionally calling:
SSL_CTX_clear_extra_chain_certs(ctx);
which will just be a no op if the chain is empty.
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shenson@opensslfoundation.com
Re: mod_ssl and OPENSSL_NO_SSL_INTERN (Re: mod_ssl in trunk with
OpenSSL 0.9.7 as a minimum requirement?)
Posted by Kaspar Brand <ht...@velox.ch>.
On 22.12.2011 17:53, Dr Stephen Henson wrote:
> I've added a few new controls and one new function which should resolve this,
> see last few commits.
>
> I deleted a couple of functions duplicating functionality too.
>
> Let me know if you need further details or it needs fixing.
Thanks for the very prompt reaction. With the attached changes to ssl.h,
works fine for me. If you agree with these, my plan would be to commit
the attached patch to trunk/2.4.x. Comments welcome.
Kaspar
Re: mod_ssl and OPENSSL_NO_SSL_INTERN (Re: mod_ssl in trunk with
OpenSSL 0.9.7 as a minimum requirement?)
Posted by Dr Stephen Henson <sh...@opensslfoundation.com>.
On 22/12/2011 10:59, Kaspar Brand wrote:
> On 05.08.2011 07:41, Kaspar Brand wrote:
>> On 03.08.2011 19:29, Dr Stephen Henson wrote:
>>> In OpenSSL 1.0.1 (unreleased) and later there is a feature to make all SSL
>>> related structures opaque and only allow them to be accessed through functions.
>>> This is enabled by setting OPENSSL_NO_SSL_INTERN before including any OpenSSL
>>> headers.
>>
>> Thanks for this information, this definitely seems a desirable goal for
>> mod_ssl in the long term (pity it wasn't added to OpenSSL earlier).
>
> Ok, so now that OpenSSL 1.0.1 doesn't seem too far away, I had a closer
> look. With trunk/2.4.x, things are already in pretty good shape, I think.
>
>> I haven't had time to try getting mod_ssl to work with this option. It is
>> guaranteed to fail without some modification. There may well be some
>> functionality missing in OpenSSL too.
>
> For mod_ssl, after some tweaking, two things are basically missing with
> the current 1.0.1 snapshots:
>
> 1) access to the SSL_CTX's "extra_certs". Currently there's only
> SSL_CTX_add_extra_chain_cert(), but no way to get at the currently
> configured stack of certs, and no option to clear that stack. mod_ssl
> needs this for ssl_util_stapling.c:stapling_get_issuer(),
> ssl_engine_init.c:ssl_init_ctx_pkcs7_cert_chain(), and
> ssl_util_ssl.c:SSL_CTX_use_certificate_chain().
>
> 2) access to the SSL_SESSION's "compress_meth" (read-only). Used in
> ssl_engine_vars.c:ssl_var_lookup_ssl_compress_meth().
>
> Is there a chance to add these for the initial 1.0.1 release?
>
I've added a few new controls and one new function which should resolve this,
see last few commits.
I deleted a couple of functions duplicating functionality too.
Let me know if you need further details or it needs fixing.
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shenson@opensslfoundation.com