> -----Original Message----- > From: Dr Stephen Henson [mailto:[email protected]] > Sent: Donnerstag, 2. Februar 2012 15:14 > To: [email protected] > Subject: OpenSSL configuration and mod_ssl > > Guys, > > It has been apparent for some time that mod_ssl (and other applications) > require > a considerable effort to support new features in OpenSSL. > > A simple example is when a new flag is added which some, but not all, > users may > want to set. Once this flag appears in an OpenSSL release every OpenSSL > based > application needs to be modified to support and document it. > Specification of > this option might be via a command line option or (in the case of > mod_ssl and > others) a configuration file. > > It would IMHO be far better if a mechanism existed to support automatic > configuration of some options by conforming applications. > > There is a current example where this works well: the cipher string. > With the > inclusion of TLS v1.2 in the upcoming OpenSSL 1.0.1 release several new > ciphersuites based on SHA256 and GCM have appeared. An application > generally > doesn't need to know or care what these are. A user can enable or > disable them > by just using the cipher string: it is passed as an opaque string which > OpenSSL > interprets. > > So my thoughts are that this concept could be generalised. > > A simple answer is to add new string setting options. For example: > > int SSL_CTX_set_options_string(SSL_CTX *ctx, const char *str);
+1 in principle. Could be handy for mod_ssl. > > This works for existing simple configuration but a new string (for > example TLS > 1.2 supported signature algorithms) might be added in the future so then > we're > back to having to explicitly add support to all applications for each > new string > configuration option. > > So perhaps: > > int SSL_CTX_set_config_string(SSL_CTX *ctx, > const char *name, const char *value); > > Where the values of "name" can expand over time. +1 same as above. > > I'm not completely sure that this could be handled by the mod_ssl > configuration routines, perhaps someone could comment on that? > > A third method is to delegate the configuration completely to OpenSSL > using a > separate configuration file. So, we'd have an option to set the > configuration > file to use and then something like: > > int SSL_CTX_config(SSL_CTX *ctx, const char *config_name); -0 from mod_ssl perspective. How do you configure which configuration file to use in this case? If it is the system wide one I don't regard this as beneficial as a web server operator might not have write access to it. Regards Rüdiger
