On 04.02.2012 15:27, Dr Stephen Henson wrote: > IMHO to avoid these problems it would be better if mod_ssl could send an > arbitrary number of certificates and keys to OpenSSL and leave it to OpenSSL > to > process them in an appropriate manner.
Would that mean supplying names of key/certificate files to OpenSSL, or are you thinking of sending parsed keys/certs (like SSL_CTX_use_PrivateKey() etc. does right now)? Dealing with encrypted keys might become more tricky, depending on how the API for this would look like (currently, mod_ssl remembers the unencrypted keys in a separate table, so that they can survive a reload). > If finer control over some operations (for example to detect configuration > errors) is required OpenSSL could be extended to support that. This would certainly help. Things which come to mind: host name mismatch (i.e., cert does not include DNS name for ServerName/ServerAlias), private-vs.-public-key mismatch, missing chain. Kaspar
