On Thu, Jan 30, 2014 at 2:37 PM, Dr Stephen Henson < [email protected]> wrote:
> On 30/01/2014 18:25, Kaspar Brand wrote: > > On 29.01.2014 19:15, Graham Leggett wrote: > >> On 29 Jan 2014, at 16:24, [email protected] wrote: > >>> URL: http://svn.apache.org/r1562500 > >>> Log: > >>> propose SSLCertificate[Key]File/SSLCertificateChainFile overhaul for > mod_ssl > >> > >> Would it be possible to do the same for the SSLProxy* directives? > > > > I think so. Without having looked at the details of the current > > implementation, switching to OpenSSL's "standard" calls for loading > > certs and keys (SSL_CTX_use_*_file) should be possible for the SSL > > client case as well. Given that SSLProxyMachineCertificateFile, > > SSLProxyMachineCertificateChainFile and SSLProxyMachineCertificatePath > > are global-level-only directives, and that there is no > > SSLProxyMachineCertificateKeyFile directive right now, it would probably > > be a somewhat more intrusive change, compared to what has been done for > > the server-side part so far. > > > > I wasn't sure of the details of the current implementation either. Would > it be > appropriate to have SSL_CONF usable with SSLProxy* too? > Surely "yes" is the answer; i.e., there is or will be some optional OpenSSL processing that could conceivably be appropriate for the TLS client used by proxy, for which mod_ssl doesn't have specific support. > > Steve. > -- > Dr Stephen Henson. OpenSSL Software Foundation, Inc. > 1829 Mount Ephraim Road > Adamstown, MD 21710 > +1 877-673-6775 > [email protected] > -- Born in Roswell... married an alien... http://emptyhammock.com/
