On 05/02/2012 11:08, Kaspar Brand wrote: > On 04.02.2012 15:27, Dr Stephen Henson wrote: >> IMHO to avoid these problems it would be better if mod_ssl could send an >> arbitrary number of certificates and keys to OpenSSL and leave it to OpenSSL >> to >> process them in an appropriate manner. > > Would that mean supplying names of key/certificate files to OpenSSL, or > are you thinking of sending parsed keys/certs (like > SSL_CTX_use_PrivateKey() etc. does right now)? >
The existing API would still work so you'd just be able to use SSL_CTX_use_PrivateKey and SSL_use_PrivateKey etc as now but it could be used more times. > Dealing with encrypted keys might become more tricky, depending on how > the API for this would look like (currently, mod_ssl remembers the > unencrypted keys in a separate table, so that they can survive a > reload). > I had a quick look at that a while ago. It seems to be rather old code using algorithm specific key serialisation functions. It has been possible to serialise arbitrary private keys using the PKCS#8 format for some years now. Also support for ENGINE based private keys is something mod_ssl should support but it is problematical. A key might reside on an HSM ENGINE through an API which OpenSSL has restricted control over including authentication (e.g. a PIN pad, card insertion etc). In some cases you cannot reload the EVP_PKEY structure without reauthentication. I'm not sure if that could be worked round by attempting to cache the EVP_PKEY structure instead. >> If finer control over some operations (for example to detect configuration >> errors) is required OpenSSL could be extended to support that. > > This would certainly help. Things which come to mind: host name mismatch > (i.e., cert does not include DNS name for ServerName/ServerAlias), > private-vs.-public-key mismatch, missing chain. > I'm currently working on enhancing the API. In OpenSSL HEAD it is now possible to use different certificate chains per key type tied to an SSL or SSL_CTX structure: overcoming the limitation of only allowing one custom chain per SSL_CTX. Building and caching of chains with error detection is something I'll also include. Steve. -- Dr Stephen Henson. OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 +1 877-673-6775 [email protected]
