On 11.10.2013 13:53, Dr Stephen Henson wrote:
> IMHO though there needs to be a way to be able to tie a directive to a
> certificate in mod_ssl anyway though. I'm surprised no one has needed to do
> that
> before.
I'm not sure we really need this for mod_ssl, as configuring more than
one cert per vhost is probably a very rare case (the number of non-RSA
certs on public sites is extremely small - in the 2010 SSL Survey from
Qualys e.g., a few more than 100 out of 600,000 were DSA [1]). If people
deliberately want to go for something other than RSA, I would assume
that they either omit the RSA cert completely, or set up a dedicated
vhost for (EC)DSA.
> Well moving the SSL_CONF_CMD block does have some consequences. I placed it at
> (what I think is) the last possible point for a reason: so the SSL_CONF could
> reset just about anything set by Apache.
Currently, it's at the end of ssl_init_ctx_protocol(), which happens
still relatively early when looking at what ssl_init_ConfigureServer()
does (which is used to configure a specific vhost): for server mode,
ssl_init_ConfigureServer() calls ssl_init_server_ctx(), which in turn calls:
ssl_init_server_check()
ssl_init_ctx(), which consists of
ssl_init_ctx_protocol()
ssl_init_ctx_session_cache()
ssl_init_ctx_callbacks()
ssl_init_ctx_verify()
ssl_init_ctx_cipher_suite()
ssl_init_ctx_crl()
ssl_init_ctx_cert_chain()
ssl_init_server_certs(), which consists of
ssl_server_import_cert(), once per type
ssl_server_import_key(), once per type
ssl_init_ticket_key()
My PoC places the SSL_CTX_use_certificate_chain_file() and
SSL_CTX_use_PrivateKey_file() calls in ssl_init_server_certs, which
should also work fine for applying all SSL_CONF stuff with
SSL_CONF_CTX_set_ssl_ctx, I think.
> I think at least some twiddling with ssl_pphrase_Handle() would be needed
> because Apache will (I think) choke if you have no certificates configured.
Yes and no - see the PoC I attached to my previous message, where I
simply disabled the code relying on the tPublicCert and tPrivateKey
hashes. As the name of ssl_pphrase_Handle() says, it's raison d'ĂȘtre is
essentially handling encrypted private keys - and I hope that for the
future, we could strip it down to the minimum required.
Kaspar
[1] https://www.ssllabs.com/projects/ssl-survey/index.html
