On Tue, Mar 21, 2017 at 6:08 PM, zzz <[email protected]> wrote: > I am prototyping an Apache module that performs certain security compliance > checks, one aspect of which requires access to the SSL_CTX that mod_ssl > creates for an SSL enabled server. > > Access to that object is currently through the SSLSrvConfigRec->server and > modssl_ctx_t->ssl_ctx structures, which works well but I would like to avoid > directly accessing these private structures if possible. > > It would be nice if the public API of mod_ssl (perhaps exposed in > ssl_util_ssl.h) defined a function such as: > > /* please be a function not a macro! */ > SSL_CTX *sslctx_from_server(server_rec *s) > { > SSLSrvConfigRec *sc = mySrvConfig(s); > if (sc && sc->enabled > 0) { > return sc->server->ssl_ctx; > } > return NULL; > } > > Of course if there is a better way to go about it glad to hear it!
Because our design model allows us to substitute at-will the underlying providers, that is not likely to become public. Perhaps an accessor fn to return the ctx or not, but that would have to be scoped by the version of OpenSSL which mod_ssl is compiled against. It isn't enough to know that it is OpenSSL vs LibreSSL vs NSSAPI or whatever... you also have a revisioned ssl context structure. So diving into the private values is fine, if you know exactly what you are doing (e.g. you built the OpenSSL dependency too)... otherwise it's necessary for us to express a new API to get a reversioned ctx pointer with enough information to know what is at the end of that pointer.
