[Bug 54987] New: RFC5878 support in mod_ssl

Thu, 16 May 2013 15:24:51 -0700 

https://issues.apache.org/bugzilla/show_bug.cgi?id=54987

            Bug ID: 54987
           Summary: RFC5878 support in mod_ssl
           Product: Apache httpd-2
           Version: 2.5-HEAD
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: mod_ssl
          Assignee: [email protected]
          Reporter: [email protected]
    Classification: Unclassified

I am working on implementing support for RFC5878 in OpenSSL and mod_ssl.  I am
in the process of contributing the OpenSSL work back to the project, and I
would like to do the same for my mod_ssl changes.

Previous support for RFC5878 was committed and then backed out.  See
http://www.mail-archive.com/[email protected]/msg56660.html

My specific requirements are to implement support for DTCP-based authorization
through RFC5878 in mod_ssl, and that work is in-progress but functional.  My
work didn't require me to add support for the AuthzDataFormats defined in
RFC5878, as we are defining a new RFC to add support for DTCP-based
authorization using RFC5878, however, the OpenSSL API would not need to change
to implement support for the AuthzDataformats specified in RFC5878.

The OpenSSL changes can be seen here:
https://bitbucket.org/cvp2ri/openssl/compare/dtcp-plus-supp-data..master#diff

The mod_ssl changes can be seen here:
https://bitbucket.org/cvp2ri/apache-http-server/compare/dtcp-support..mirror/apache-http-server:2.4.x#diff

I'm filing this issue in order to request feedback on the changes to mod_ssl
linked above.  If additional work is required in order to improve the chances
of this contribution being accepted, please let me know.

The OpenSSL API is almost exclusively callback-based, and RFC5878 requires TLS
extensions to be examined by both sides and supplemental data sent, possibly by
both sides, during the TLS handshake.  I don't believe the OpenSSL
configuration command support recently added in
http://svn.apache.org/viewvc?view=revision&revision=r1421323 would support
these requirements, as what is sent in the TLS extension and supplemental data
is dependent on what is sent by the other side.

Any feedback is welcome.

Scott

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to