On 22/12/2011 10:59, Kaspar Brand wrote: > On 05.08.2011 07:41, Kaspar Brand wrote: >> On 03.08.2011 19:29, Dr Stephen Henson wrote: >>> In OpenSSL 1.0.1 (unreleased) and later there is a feature to make all SSL >>> related structures opaque and only allow them to be accessed through >>> functions. >>> This is enabled by setting OPENSSL_NO_SSL_INTERN before including any >>> OpenSSL >>> headers. >> >> Thanks for this information, this definitely seems a desirable goal for >> mod_ssl in the long term (pity it wasn't added to OpenSSL earlier). > > Ok, so now that OpenSSL 1.0.1 doesn't seem too far away, I had a closer > look. With trunk/2.4.x, things are already in pretty good shape, I think. > >> I haven't had time to try getting mod_ssl to work with this option. It is >> guaranteed to fail without some modification. There may well be some >> functionality missing in OpenSSL too. > > For mod_ssl, after some tweaking, two things are basically missing with > the current 1.0.1 snapshots: > > 1) access to the SSL_CTX's "extra_certs". Currently there's only > SSL_CTX_add_extra_chain_cert(), but no way to get at the currently > configured stack of certs, and no option to clear that stack. mod_ssl > needs this for ssl_util_stapling.c:stapling_get_issuer(), > ssl_engine_init.c:ssl_init_ctx_pkcs7_cert_chain(), and > ssl_util_ssl.c:SSL_CTX_use_certificate_chain(). > > 2) access to the SSL_SESSION's "compress_meth" (read-only). Used in > ssl_engine_vars.c:ssl_var_lookup_ssl_compress_meth(). > > Is there a chance to add these for the initial 1.0.1 release? >
I've added a few new controls and one new function which should resolve this, see last few commits. I deleted a couple of functions duplicating functionality too. Let me know if you need further details or it needs fixing. Steve. -- Dr Stephen Henson. OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 +1 877-673-6775 shen...@opensslfoundation.com
