You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Jeff Trawick <tr...@gmail.com> on 2014/01/03 20:31:17 UTC

Re: [PATCH 55593] Add "SSLServerInfoFile" directive

On Tue, Oct 22, 2013 at 4:04 PM, Dr Stephen Henson <
shenson@opensslfoundation.com> wrote:

> On 22/10/2013 20:14, Trevor Perrin wrote:
> > On Mon, Oct 21, 2013 at 5:45 AM, Dr Stephen Henson
> > <sh...@opensslfoundation.com> wrote:
> >> On 21/10/2013 05:09, Trevor Perrin wrote:
> >>>
> >>
> >> BTW I've just added some experimental code to the OpenSSL master
> branch. It adds
> >> key/certificate support to SSL_CONF and a new function
> SSL_CONF_cmd_value_type.
> >> The Apache side isn't added yet but should be pretty straight forward.
> >
> > Cool, if you do the Apache side I'll try to follow your footsteps and
> > extend ServerInfo to work with SSL_CONF (in OpenSSL and Apache).
> >
>
> http://svn.apache.org/r1534754
>
> This needs the OpenSSL master branch. It doesn't (yet) work with
> 1.0.2-stable
> but I'll be backporting the functionality in the near future.
>

Support for "ServerInfoFile" still isn't in
SSL_CONF_cmd()/SSL_CONF_cmd_value_type() in OpenSSL master or the 1.0.2
branch, right?  (IOW, "SSLOpenSSLConfCmd ServerInfoFile info1.pem" is the
planned interface in mod_ssl but not yet workable?)  Or maybe I'm not
looking at the right place in OpenSSL.

Thanks!


>
> I tested it against a new DH parameters directive and it seemed to work OK.
>
> Only bit I'm not completely sure about is the use of the SSL_CONF_CTX
> structure
> in modssl_ctx_t. It's done that way to avoid having to keep creating and
> destroying the SSL_CONF_CTX for each directive but a quick test showed it
> was
> creating several other SSL_CONF_CTX structures which were never used. Maybe
> there's a better way to handle that or just create the SSL_CONF_CTX on
> first use?
>
> Steve.
> --
> Dr Stephen Henson. OpenSSL Software Foundation, Inc.
> 1829 Mount Ephraim Road
> Adamstown, MD 21710
> +1 877-673-6775
> shenson@opensslfoundation.com
>

-- 
Born in Roswell... married an alien...
http://emptyhammock.com/

Re: [PATCH 55593] Add "SSLServerInfoFile" directive

Posted by Jeff Trawick <tr...@gmail.com>.

On Fri, Jan 3, 2014 at 6:17 PM, Dr Stephen Henson <
shenson@opensslfoundation.com> wrote:

> On 03/01/2014 19:31, Jeff Trawick wrote:
> >
> > Support for "ServerInfoFile" still isn't in
> > SSL_CONF_cmd()/SSL_CONF_cmd_value_type() in OpenSSL master or the 1.0.2
> branch,
> > right?  (IOW, "SSLOpenSSLConfCmd ServerInfoFile info1.pem" is the planned
> > interface in mod_ssl but not yet workable?)  Or maybe I'm not looking at
> the
> > right place in OpenSSL.
> >
>
> I just added it to the OpenSSL master branch. Let me know if you have any
> problems. I'll backport it to 1.0.2 before release.
>

Thanks for that.  I don't have anything useful to test with the
ServerInfoFile right at the moment, but the code seems to be there now:

[Sat Jan 04 14:17:37 2014] [emerg] [pid 1950:139787856742272:1950]
ssl_engine_init.c(1320): AH02407: "SSLOpenSSLConfCmd ServerInfoFile
/home/trawick/inst/25-64/info1.pem" failed for www.example.com:8443
[Sat Jan 04 14:17:37 2014] [emerg] [pid 1950:139787856742272:1950]
ssl_engine_init.c(1321): SSL Library Error: error:0906D06C:PEM
routines:PEM_read_bio:no start line (Expecting: DH PARAMETERS) -- Bad file
contents or format - or even just a forgotten SSLCertificateKeyFile?
[Sat Jan 04 14:17:37 2014] [emerg] [pid 1950:139787856742272:1950]
ssl_engine_init.c(1321): SSL Library Error: error:0906D06C:PEM
routines:PEM_read_bio:no start line (Expecting: EC PARAMETERS) -- Bad file
contents or format - or even just a forgotten SSLCertificateKeyFile?
[Sat Jan 04 14:17:37 2014] [emerg] [pid 1950:139787856742272:1950]
ssl_engine_init.c(1321): SSL Library Error: error:0906D06C:PEM
routines:PEM_read_bio:no start line -- Bad file contents or format - or
even just a forgotten SSLCertificateKeyFile?
[Sat Jan 04 14:17:37 2014] [emerg] [pid 1950:139787856742272:1950]
ssl_engine_init.c(1321): SSL Library Error: error:14151185:SSL
routines:SSL_CTX_use_serverinfo_file:no pem extensions

>
> Steve.
> --
> Dr Stephen Henson. OpenSSL Software Foundation, Inc.
> 1829 Mount Ephraim Road
> Adamstown, MD 21710
> +1 877-673-6775
> shenson@opensslfoundation.com
>

-- 
Born in Roswell... married an alien...
http://emptyhammock.com/

Re: [PATCH 55593] Add "SSLServerInfoFile" directive

Posted by Dr Stephen Henson <sh...@opensslfoundation.com>.

On 03/01/2014 19:31, Jeff Trawick wrote:
> 
> Support for "ServerInfoFile" still isn't in
> SSL_CONF_cmd()/SSL_CONF_cmd_value_type() in OpenSSL master or the 1.0.2 branch,
> right?  (IOW, "SSLOpenSSLConfCmd ServerInfoFile info1.pem" is the planned
> interface in mod_ssl but not yet workable?)  Or maybe I'm not looking at the
> right place in OpenSSL.
> 

I just added it to the OpenSSL master branch. Let me know if you have any
problems. I'll backport it to 1.0.2 before release.

Steve.
-- 
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shenson@opensslfoundation.com