On 02.02.2012 15:13, Dr Stephen Henson wrote: > So perhaps: > > int SSL_CTX_set_config_string(SSL_CTX *ctx, > const char *name, const char *value); > > Where the values of "name" can expand over time.
I'm more in favor of this one - i.e., allow configuration through key-value pairs (you could do that with the other variant by stuffing them into a single string, but then there's the question of what separator to use etc.) > I'm not completely sure that this could be handled by the mod_ssl > configuration routines, perhaps someone could comment on that? Similar to the parameter handling in directives like "Define" or "SetEnv", I think. "SSLSetOpenSSLOption" e.g.? > int SSL_CTX_config(SSL_CTX *ctx, const char *config_name); > > Where "config_name" is a named configuration option in the OpenSSL > configuration > file. This has the substantial advantage that there would > then be one configuration file format used by all OpenSSL applications. > The disadvantage is that it would look nothing like the existing Apache > configuration format. Maybe mod_ssl could offer both - a directive for configuring via key-value pairs for "simple" cases, and a config file based way for complex setups. (In some way, it's what PHP currently does with the php_value/php_admin_value directives and php.ini.) BTW: I would like to see SSL_set_config_string(), too - for those mod_ssl options which can be set on a per-directory basis. Kaspar