On Sun, Sep 29, 2013 at 1:06 AM, Kaspar Brand <httpd-dev.2...@velox.ch> wrote: > On 28.09.2013 18:34, Dr Stephen Henson wrote: >> How about something like: >> >> int SSL_CONF_cmd_type(SSL_CONF_CTX *cctx, const char *cmd); >> >> which can return things like... >> >> SSL_CONF_TYPE_INVALID: unrecognised name. >> SSL_CONF_TYPE_FILE: file name. >> SSL_CONF_TYPE_DIR: directory name. >> ... others ... >> SSL_CONF_TYPE_STR: string with no special meaning. > > Sounds good, yes.
Sounds fine to me. But another wrinkle is occurring to me: We're going to need different ServerInfo files for different certs (since things like Certificate Transparency and TACK will return different data depending on the server's cert/key). The OpenSSL code was written on the assumption of one ServerInfo file per SSL_CTX, so will need a bit of rework. But it's worth discussing what the API should be. There are currently 8 possible key/cert types in OpenSSL (ssl/ssl_locl.h): """ #define SSL_PKEY_RSA_ENC 0 #define SSL_PKEY_RSA_SIGN 1 #define SSL_PKEY_DSA_SIGN 2 #define SSL_PKEY_DH_RSA 3 #define SSL_PKEY_DH_DSA 4 #define SSL_PKEY_ECC 5 #define SSL_PKEY_GOST94 6 #define SSL_PKEY_GOST01 7 """ I think we'd rather not try to embed OIDs or whatever in the ServerInfo files. Perhaps the ServerInfoFile ConfCmd could be annotated to refer to these identifiers somehow? SSLOpenSSLConfCmd ServerInfoFile_RSA_ENC certs/ServerInfo1.pem SSLOpenSSLConfCmd ServerInfoFile_RSA_SIGN certs/ServerInfo2.pem - or - SSLOpenSSLConfCmd ServerInfoFile 0 certs/ServerInfo1.pem SSLOpenSSLConfCmd ServerInfoFile 1 certs/ServerInfo2.pem Any thoughts?? Trevor
