Since you mentioned RFC 5878, I've attached a patch to issue 55467 which allows third party modules to send and receive custom TLS extensions or supplemental data (which can be used to implement support for RFC 5878), and adds reneg support as well (as some folks only want to send the extensions after the initial handshake).
https://issues.apache.org/bugzilla/show_bug.cgi?id=55467 Scott On Sep 24, 2013, at 10:39 PM, Kaspar Brand <httpd-dev.2...@velox.ch> wrote: > On 25.09.2013 04:13, Trevor Perrin wrote: >> The feature is checked in to the 1.0.2 branch [1], so we'd like to >> expose it through Apache. >> >> The patch is pretty simple. I suppose more tests or docs might be >> needed (?), which I'm happy to write. >> >> Anyways, is this something Apache is interested it? Does the patch >> look correct? [2] > > I'd very much prefer to see this supported via SSLOpenSSLConfCmd > (http://svn.apache.org/r1421323), and not code this into mod_ssl by > adding yet another directive. For the authz_file / RFC 5878 stuff, I did > some experiments at the time, and am attaching a[n untested] patch for > SSL_CTX_use_serverinfo_file - could you give it a try? > > Depending on when exactly you need the SSL_CTX_use_serverinfo_file to > happen in ssl_engine_init.c, we might have to move around the #ifdef > HAVE_SSL_CONF_CMD block somewhat, but this shouldn't be a real issue > (for authz_file, it was necessary/doable). > > Kaspar > <cmd_ServerInfoFile.diff>
