On 13.10.2013 00:43, Trevor Perrin wrote:
> On Thu, Oct 10, 2013 at 4:44 PM, Dr Stephen Henson
>> I *think* you then have to delve into ssl_pphrase_Handle() [note the comment
>> on
>> the way in] and somehow link the ServerInfo index with something you can use
>> to
>> recognise it later. The algorithm type 'at' might be usable or perhaps turn
>> the
>> algorithm type into one of the SSL_AIDX_<ALGORITHM> values?
>
> I don't see a direct way to map ssl_algo_t to the SSL_AIX_* that's
> needed later. I suppose something could be kludged out of
> ssl_util_algotypestr() and ssl_asn1_keystr().
>
> But maybe the easiest way to handle this is to create another hash
> table like tPublicCert (e.g. tServerInfoFile or tSSLConfCmd).
>
> This table could be populated in ssl_pphrase_Handle at the same time
> that the tPublicCert table is populated, and read in
> ssl_server_import_certs()?
Please not... as the comment in ssl_private.h already says, "This should
really be fixed using a smaller structure".
As a proof of concept (or proof of my theory, if you like), I'm
attaching a patch which completely does without the whole
ssl_pphrase_Handle dance (with the limitation of not supporting
encrypted key files, currently).
> This would be easy to do as a directive, since only a ServerInfoFile
> string would be stored in the hash table, and no OpenSSL changes are
> needed.
>
> As an SSL_CONF_CMD, there's more work:
> - Add some indicator to distinguish per-cert vs global commands (?)
> - Serialize/deserialize SSL_CONF_CMD name/value lists into the hashtable
> - OpenSSL work:
> - Implement SSL_CONF_CMD for ServerInfoFile
> - Implement SSL_CONF_cmd_type(...) for relative path handling
Provided that OpenSSL adds support for KeyFile and CertificateFile to
SSL_CONF, you could simply replace the
SSL_CTX_use_certificate_chain_file()/SSL_CTX_use_PrivateKey_file() calls
with a replay of the whole SSL_CONF_CMD stanza, including ServerInfoFile.
> It seems like you guys are contemplating a larger redesign of cert/key
> handling based around SSL_CONF_CMD.
>
> Perhaps I could just do a directive for now, and let all this be swept
> into a big redesign later?
It depends on what your goal is. If it's a patch for your own needs,
then that's fine, but I'm clearly not in support of adding this to the
mod_ssl tree (not to trunk, but even less as a backport to 2.4.x).
Kaspar
Index: ssl_engine_init.c
===================================================================
--- ssl_engine_init.c (revision 1531623)
+++ ssl_engine_init.c (working copy)
@@ -185,6 +185,7 @@
}
#endif
+#if 0
/*
* read server private keys/public certs into memory.
* decrypting any encrypted keys via configured SSLPassPhraseDialogs
@@ -192,6 +193,7 @@
* restarts, in which case they'll live inside s->process->pool.
*/
ssl_pphrase_Handle(base_server, ptemp);
+#endif
/*
* initialize the mutex handling
@@ -835,7 +837,9 @@
if (mctx->pks) {
/* XXX: proxy support? */
+#if 0
ssl_init_ctx_cert_chain(s, p, ptemp, mctx);
+#endif
#ifdef HAVE_TLSEXT
ssl_init_ctx_tls_extensions(s, p, ptemp, mctx);
#endif
@@ -1019,6 +1023,7 @@
int have_ecc;
#endif
+#if 0
rsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_RSA);
dsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_DSA);
#ifdef HAVE_ECC
@@ -1061,6 +1066,36 @@
"Oops, no " KEYTYPES " server private key found?!");
ssl_die(s);
}
+#else
+ const char *certfile, *keyfile;
+ for (i = 0; (certfile = mctx->pks->cert_files[i]) != NULL; i++) {
+ if ((SSL_CTX_use_certificate_chain_file(mctx->ssl_ctx, certfile) < 1))
{
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO()
+ "Failed to configure certificate #%d for %s, check
%s",
+ i + 1, vhost_id, certfile);
+ break;
+ }
+ keyfile = ((mctx->pks->key_files[i] != NULL) ?
+ mctx->pks->key_files[i] : certfile);
+ if ((SSL_CTX_use_PrivateKey_file(mctx->ssl_ctx, keyfile,
+ SSL_FILETYPE_PEM) < 1) ||
+ (SSL_CTX_check_private_key(mctx->ssl_ctx) < 1)) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO()
+ "Failed to configure key #%d for %s, check %s",
+ i + 1, vhost_id, keyfile);
+ break;
+ }
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO()
+ "Certificate and key #%d for %s configured from %s and
%s",
+ i + 1, vhost_id, certfile, keyfile);
+ }
+ if (i < 1) {
+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO()
+ "Failed to configure certificate and key for %s",
+ vhost_id);
+ ssl_die(s);
+ }
+#endif
/*
* Try to read DH parameters from the (first) SSLCertificateFile
