On Wed, Feb 02, 2005 at 11:36:41AM +0000, Ben Laurie wrote: > Joe Orton wrote: > >On Wed, Feb 02, 2005 at 11:09:47AM +0000, David Reid wrote: > >>The issue is a need to get access to the internals of the structure. > > > > > >By exposing the X509 * directly you expose a dependency on the > >underlying SSL toolkit. What if mod_ssl was built to use the RSA > >toolkit; will the X509 * have the same fields and layout? That's why > >it's preferable to just expose the DER: there's nothing you can't do > >with the DER that you can do with the X509 * anyway. > > This is a somewhat frivolous point though. If you expose the DER, then > the module will have to have some crypto toolkit to understand it. If > its a different one from the one mod_ssl is using, then it can always > convert to DER and into its own format, using the same kit mod_ssl uses > for the first step. So, it seems to me that this is simply making work > for modules to no real gain.
That all presumes that random third-party modules can determine which type of SSL toolkit mod_ssl was built with and where the headers are etc, which isn't the case. > Certainly it should only be exported in this format if OpenSSL is in use. > > BTW, I'd advocate using a hook that was typesafe! Exactly my point: you can't do that without exposing OpenSSL headers through mod_ssl.h and making the hook declaration conditional on SSL support being enabled and all that mess. joe
