Re: svn commit: r1352596 - in /httpd/httpd/trunk: CHANGES modules/ssl/mod_ssl.c modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_init.c modules/ssl/ssl_private.h

[Kaspar Brand <ht...@velox.ch>]

On 21.06.2012 18:17, ben@apache.org wrote:
> Author: ben
> Date: Thu Jun 21 16:17:41 2012
> New Revision: 1352596
> 
> URL: http://svn.apache.org/viewvc?rev=1352596&view=rev
> Log:
> RFC 5878 support.
> 
> Modified:
>     httpd/httpd/trunk/CHANGES
>     httpd/httpd/trunk/modules/ssl/mod_ssl.c
>     httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
>     httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
>     httpd/httpd/trunk/modules/ssl/ssl_private.h

Considering how things evolved since June last year, I propose to revert
this patch, for the following reasons:

- as pointed out in my backport votes (http://svn.apache.org/r1395229),
the code is still quite far from being an "implementation" of RFC 5878,
and OpenSSL itself hasn't received any updates to the code added in May 2012

- the SSL*AuthzFile directives for mod_ssl are completely undocumented
as of today, and SSL_CTX_use_authz_file uses an opaque format (which
might see further modifications, see e.g. [1])

- earlier this year it became clear that the first version of the
OpenSSL code for "RFC 5878 support" wasn't really correct [2], and
meanwhile the CT I-D has switched to using a dedicated TLS extension
[3], in any case

- Dr Steve has added support for OpenSSL's new SSL_CONF_* stuff in
December (http://svn.apache.org/r1421323 - pretty cool!), and since this
is also available in the OpenSSL_1_0_2-stable branch, it would
definitely be the way to go for adding support for "not yet recognized"
OpenSSL options to mod_ssl

Unless someone is clearly objecting (please raise your voice), I intend
to commit the attached patch in about a week.

Kaspar


[1] https://github.com/trevp/openssl_extender

[2] http://www.ietf.org/mail-archive/web/therightkey/current/msg00597.html

[3] http://www.ietf.org/rfcdiff?url2=draft-laurie-pki-sunlight-06#diff0077