The way mod_ssl currently handles certificates and private keys is rather restrictive and means some of OpenSSL's current and planned future features can't be used automatically.
Currently mod_ssl hard codes algorithms and has a limitation of one certificate per algorithm. This has two consequences... 1. New algorithms (such as GOST and fixed DH) cannot be configured and need to be added into the mod_ssl code. 2. Support for multiple certificates for a given algorithm is not supported. For example future "full" use of ECC ciphersuites might have different certificates for different curves the selection of which is determined by the curves the client supports. IMHO to avoid these problems it would be better if mod_ssl could send an arbitrary number of certificates and keys to OpenSSL and leave it to OpenSSL to process them in an appropriate manner. If finer control over some operations (for example to detect configuration errors) is required OpenSSL could be extended to support that. Thoughts? Steve. -- Dr Stephen Henson. OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 +1 877-673-6775 [email protected]
