On Wed, Feb 02, 2005 at 11:09:47AM +0000, David Reid wrote: > Joe Orton wrote: > >On Wed, Feb 02, 2005 at 10:17:04AM +0000, David Reid wrote: > > > >>Basically this allows us to gain access to the actual cert structure. > > > > > >I don't like the idea of exposing the X509 * directly especially not > >through a char * interface. Exposing the DER representation (e.g. > >base64-encoded) through ssl_var_lookup would be better.
(of course that's essentially what _CERT_PEM is; but exporting it without the unnecessary PEM trimmings is useful too) > The issue is a need to get access to the internals of the structure. By exposing the X509 * directly you expose a dependency on the underlying SSL toolkit. What if mod_ssl was built to use the RSA toolkit; will the X509 * have the same fields and layout? That's why it's preferable to just expose the DER: there's nothing you can't do with the DER that you can do with the X509 * anyway. joe
