On 03.08.2011 19:29, Dr Stephen Henson wrote: > In OpenSSL 1.0.1 (unreleased) and later there is a feature to make all SSL > related structures opaque and only allow them to be accessed through > functions. > This is enabled by setting OPENSSL_NO_SSL_INTERN before including any OpenSSL > headers.
Thanks for this information, this definitely seems a desirable goal for mod_ssl in the long term (pity it wasn't added to OpenSSL earlier). > Ironically to support this you'd need to avoid some of the changes in this > patch. For example: > > - l = strlen(SSL_CIPHER_get_name(c)); > - memcpy(cp, SSL_CIPHER_get_name(c), l); > + l = strlen(c->name); > + memcpy(cp, c->name, l); After another look, this is actually a case where I can revert the change in my patch - I overlooked that SSL_CIPHER_get_name is a macro which is also defined by OpenSSL itself (at least in 0.9.7 or later). The remaining ones probably need to stay for the time being, but let me add that I would definitely prefer mod_ssl not fiddling with the internals of OpenSSL (as an example, modssl_set_cert_info is rather worrysome, IMO). My plan was to do relatively mechanical macro replacement in a first step, then try to identify code parts which can be replaced by calls to OpenSSL (e.g. the CRL checking stuff), and in a third step, look at the remaining places which are "messing" with OpenSSL's internals and hopefully replace them with proper API calls whenever possible. OPENSSL_NO_SSL_INTERN sounds like a very useful thing for this, although backward compatibility will still make life hard, I guess. Kaspar