On 05.08.2011 07:41, Kaspar Brand wrote: > On 03.08.2011 19:29, Dr Stephen Henson wrote: >> In OpenSSL 1.0.1 (unreleased) and later there is a feature to make all SSL >> related structures opaque and only allow them to be accessed through >> functions. >> This is enabled by setting OPENSSL_NO_SSL_INTERN before including any OpenSSL >> headers. > > Thanks for this information, this definitely seems a desirable goal for > mod_ssl in the long term (pity it wasn't added to OpenSSL earlier).
Ok, so now that OpenSSL 1.0.1 doesn't seem too far away, I had a closer look. With trunk/2.4.x, things are already in pretty good shape, I think. > I haven't had time to try getting mod_ssl to work with this option. It is > guaranteed to fail without some modification. There may well be some > functionality missing in OpenSSL too. For mod_ssl, after some tweaking, two things are basically missing with the current 1.0.1 snapshots: 1) access to the SSL_CTX's "extra_certs". Currently there's only SSL_CTX_add_extra_chain_cert(), but no way to get at the currently configured stack of certs, and no option to clear that stack. mod_ssl needs this for ssl_util_stapling.c:stapling_get_issuer(), ssl_engine_init.c:ssl_init_ctx_pkcs7_cert_chain(), and ssl_util_ssl.c:SSL_CTX_use_certificate_chain(). 2) access to the SSL_SESSION's "compress_meth" (read-only). Used in ssl_engine_vars.c:ssl_var_lookup_ssl_compress_meth(). Is there a chance to add these for the initial 1.0.1 release? Kaspar
