Joe Orton wrote: > > I finally got round to finishing this off, holidays and similar excuses > now out of the way. First of all: thanks a lot for the patch, and sorry > it took so long to merge! >
Many thanks. I'm away from my test setup for a couple of days so can't test it at present. > I made a few changes relative to your latest patch: > > - minor syntax/style cleanups > - renamed the new C file to ssl_util_stapling.c > - updated the handling of "SSLStaplingCache" as per changes to > "SSLSessionCache", to allow "SSLStaplingCache default" to DTRT > - moved up the call to ssl_stapling_ex_init() so it took effect before > the ex_data index was used > > and have two questions: > > 1) the use of an ex_data structure attached to the X509 * to store the > stapling-specific state seems unnecessary. Was there a reason why you > did this rather than simply extending the modssl_pk_server_t structure? > (The ex_data indices have historically been a nightmare with mod_ssl due > to the fact that OpenSSL might get unloaded from memory during startup, > and any cached copies of the index values outside of OpenSSL may or may > not be reliable. Global state == bad!) > Main reason is that I'm more used to how ex_data works ;-) As long as the cached structure is associated with each server certificate in some way that's fine. > > I've done basic testing using openssl s_client/ocsp as client/responder > such that I can see an OCSP response being passed through, but it didn't > seem to get cached correctly which I haven't looked into further (maybe > I broke that with my changes). > Will test it when I get back. Steve. -- Dr Stephen N. Henson. Senior Technical/Cryptography Advisor, Open Source Software Institute: www.oss-institute.org OpenSSL Core team: www.openssl.org
