OpenSSL Patch requires new treatment of dual certificate configurations with ServerInfoFile

[Jason - <wi...@outlook.com>]

Hi to all.

I would like to draw your attention to a new patch for OpenSSL which will ultimately mean that Apache needs to treat dual EC-RSA certificate configurations with server info (currently used only for TLS extension of certificate transparency) differently than until now. Specifically, the patches are https://github.com/openssl/openssl/pull/914 and https://github.com/openssl/openssl/pull/915.

They originated from research involving my Apache server configuration (2.4.20 on Ubuntu 16.04, not Apache trunk) and Castaglia's coding of patches.

The Apache/OpenSSL bug is described fully here: http://serverfault.com/questions/758482/apache-extension-error (the software I used when I published this Serverfault thread was a bit older than now, but the problem still persists). In particular, see the comment of Castaglia on their answer to the thread for possible new Apache idea of implementation.

Maybe the following would be a good approach: After the first certificate-private key pair, accept a ServerInfo Openssl configuration directive which would call SSL_CTX_use_serverinfo_file for that certificate. Then the configuration goes on with the second certificate-private key pair and after that, the second serverinfo file location via Openssl configuration directive (if applicable, that is if the server has dual certificate configuration). So, Apache would need to process each pair and then, if it finds directly below it a serverinfo, call SSL_CTX_use_serverinfo_file for THAT certificate. When a new certificate-key pair is registered, the SSL_CTX_use_serverinfo_file would be called again but for the last certificate only.

And a last thing: Let's not only implement this for 2.5 trunk, but as a patch for 2.4, eg 2.4.21.

Regards,
Jason