Re: SSLDisableCRLCaching, is it even possible in 2.4.x?
On 22.04.2015 10:36, Jan Kaluža wrote: On 04/22/2015 09:50 AM, Kaspar Brand wrote: Fiddling with OpenSSL internals looks rather scary to me, at least at first sight - perhaps there's an API for clearing a CRL store in OpenSSL? Unfortunately there's no such API in OpenSSL. There's caching flag in X509_STORE struct, but it's never used for anything actually. Maybe it would be better idea to implement that in OpenSSL +1 for this, indeed. It would be good to not repeat history - i.e., add code to mod_ssl which actually belongs into OpenSSL (specifically in this case, where we would operate on low-level OpenSSL structures, which looks like a fairly brittle approach). I was hoping to have this feature in httpd at first. Understandable from an httpd package maintainer's point of view, I agree. Could a temporary patch to your vendor OpenSSL package be a short-term approach, with the long-term goal of getting it added as an offical API into OpenSSL 1.0.something? Kaspar
Re: SSLDisableCRLCaching, is it even possible in 2.4.x?
On 21.04.2015 12:20, Jan Kaluža wrote: we used to have a patch against httpd-2.2.15 to add SSLDisableCRLCaching option to not cache CRLs. I was trying to adapt this patch for httpd-trunk and eventually include it upstream but now I'm in dead end. The patch removes all the CRLs from the per-server_rec OpenSSL cache created in ssl_init_ctx_crl (OpenSSL caches the CRLs in X509_store.objs). This all works properly, but I'm thinking about thread-safety. Starting with 2.3.15 (https://svn.apache.org/r1165056), CRL checking was completely delegated to OpenSSL, so it would be a bit surprising to me if that patch can be ported to trunk. Fiddling with OpenSSL internals looks rather scary to me, at least at first sight - perhaps there's an API for clearing a CRL store in OpenSSL? Kaspar
Re: SSLDisableCRLCaching, is it even possible in 2.4.x?
On 04/22/2015 09:50 AM, Kaspar Brand wrote: On 21.04.2015 12:20, Jan Kaluža wrote: we used to have a patch against httpd-2.2.15 to add SSLDisableCRLCaching option to not cache CRLs. I was trying to adapt this patch for httpd-trunk and eventually include it upstream but now I'm in dead end. The patch removes all the CRLs from the per-server_rec OpenSSL cache created in ssl_init_ctx_crl (OpenSSL caches the CRLs in X509_store.objs). This all works properly, but I'm thinking about thread-safety. Starting with 2.3.15 (https://svn.apache.org/r1165056), CRL checking was completely delegated to OpenSSL, so it would be a bit surprising to me if that patch can be ported to trunk. I'm aware of that, that's why I'm rewriting that patch for trunk :). Fiddling with OpenSSL internals looks rather scary to me, at least at first sight - perhaps there's an API for clearing a CRL store in OpenSSL? Unfortunately there's no such API in OpenSSL. There's caching flag in X509_STORE struct, but it's never used for anything actually. Maybe it would be better idea to implement that in OpenSSL, but that's kind of long-term goal. I was hoping to have this feature in httpd at first. Kaspar Regards, Jan Kaluza
SSLDisableCRLCaching, is it even possible in 2.4.x?
Hi, we used to have a patch against httpd-2.2.15 to add SSLDisableCRLCaching option to not cache CRLs. I was trying to adapt this patch for httpd-trunk and eventually include it upstream but now I'm in dead end. The patch removes all the CRLs from the per-server_rec OpenSSL cache created in ssl_init_ctx_crl (OpenSSL caches the CRLs in X509_store.objs). This all works properly, but I'm thinking about thread-safety. The theoretical problem can happen when something gets the pointer to CRL from the cache, my code removes the CRL from the cache and deletes it and the original code starts using the pointer, which is now pointing to deleted object. I have seen X509_OBJECT.references variable, which could help me a lot here (I could just decrease the refcount instead of deleting), but it seems this is not used anywhere in OpenSSL, so it's actually useless. Does anyone know if that's really true or I'm just missing something? I'm looking for someone to review that code (maybe I'm not right with the thread-safety problem) or advise me the way to move further (if there's any). Thanks, Jan Kaluza httpd-trunk-disable-crl.patch Description: application/download
