On Wed, Feb 02, 2005 at 11:09:47AM +0000, David Reid wrote:
Joe Orton wrote:
On Wed, Feb 02, 2005 at 10:17:04AM +0000, David Reid wrote:
Basically this allows us to gain access to the actual cert structure.
I don't like the idea of exposing the X509 * directly especially not through a char * interface. Exposing the DER representation (e.g. base64-encoded) through ssl_var_lookup would be better.
(of course that's essentially what _CERT_PEM is; but exporting it without the unnecessary PEM trimmings is useful too)
The issue is a need to get access to the internals of the structure.
By exposing the X509 * directly you expose a dependency on the underlying SSL toolkit. What if mod_ssl was built to use the RSA toolkit; will the X509 * have the same fields and layout? That's why it's preferable to just expose the DER: there's nothing you can't do with the DER that you can do with the X509 * anyway.
This is a somewhat frivolous point though. If you expose the DER, then the module will have to have some crypto toolkit to understand it. If its a different one from the one mod_ssl is using, then it can always convert to DER and into its own format, using the same kit mod_ssl uses for the first step. So, it seems to me that this is simply making work for modules to no real gain.
Certainly it should only be exported in this format if OpenSSL is in use.
BTW, I'd advocate using a hook that was typesafe!
Cheers,
Ben.
-- http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff
