On 25/09/2013 06:39, Kaspar Brand wrote:
> On 25.09.2013 04:13, Trevor Perrin wrote:
>> The feature is checked in to the 1.0.2 branch [1], so we'd like to
>> expose it through Apache.
>>
>> The patch is pretty simple. I suppose more tests or docs might be
>> needed (?), which I'm happy to write.
>>
>> Anyways, is this something Apache is interested it? Does the patch
>> look correct? [2]
>
> I'd very much prefer to see this supported via SSLOpenSSLConfCmd
> (http://svn.apache.org/r1421323), and not code this into mod_ssl by
> adding yet another directive. For the authz_file / RFC 5878 stuff, I did
> some experiments at the time, and am attaching a[n untested] patch for
> SSL_CTX_use_serverinfo_file - could you give it a try?
>
> Depending on when exactly you need the SSL_CTX_use_serverinfo_file to
> happen in ssl_engine_init.c, we might have to move around the #ifdef
> HAVE_SSL_CONF_CMD block somewhat, but this shouldn't be a real issue
> (for authz_file, it was necessary/doable).
>
Couple of minor refinements. If you do:
+ {cmd_serverinfo_file, "ServerInfoFile", "serverinfo"},
It gets supported in command line utilities to (like s_server, making it
unnecessesary to code it separately). Also if it is only used for servers you
need something like:
if (!(cctx->flags & SSL_CONF_FLAG_SERVER))
return -2;
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shen...@opensslfoundation.com
