Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Apache: Dev

OpenSSL configuration and mod_ssl

  

 
Apache dev RSS feed   Index | Next | Previous | View Threaded


shenson at opensslfoundation

Feb 2, 2012, 6:13 AM

Post #1 of 6 (278 views)
Permalink
OpenSSL configuration and mod_ssl
Guys,

It has been apparent for some time that mod_ssl (and other applications) require
a considerable effort to support new features in OpenSSL.

A simple example is when a new flag is added which some, but not all, users may
want to set. Once this flag appears in an OpenSSL release every OpenSSL based
application needs to be modified to support and document it. Specification of
this option might be via a command line option or (in the case of mod_ssl and
others) a configuration file.

It would IMHO be far better if a mechanism existed to support automatic
configuration of some options by conforming applications.

There is a current example where this works well: the cipher string. With the
inclusion of TLS v1.2 in the upcoming OpenSSL 1.0.1 release several new
ciphersuites based on SHA256 and GCM have appeared. An application generally
doesn't need to know or care what these are. A user can enable or disable them
by just using the cipher string: it is passed as an opaque string which OpenSSL
interprets.

So my thoughts are that this concept could be generalised.

A simple answer is to add new string setting options. For example:

int SSL_CTX_set_options_string(SSL_CTX *ctx, const char *str);

This works for existing simple configuration but a new string (for example TLS
1.2 supported signature algorithms) might be added in the future so then we're
back to having to explicitly add support to all applications for each new string
configuration option.

So perhaps:

int SSL_CTX_set_config_string(SSL_CTX *ctx,
const char *name, const char *value);

Where the values of "name" can expand over time.

I'm not completely sure that this could be handled by the mod_ssl
configuration routines, perhaps someone could comment on that?

A third method is to delegate the configuration completely to OpenSSL using a
separate configuration file. So, we'd have an option to set the configuration
file to use and then something like:

int SSL_CTX_config(SSL_CTX *ctx, const char *config_name);

Where "config_name" is a named configuration option in the OpenSSL configuration
file. This has the substantial advantage that there would
then be one configuration file format used by all OpenSSL applications.
The disadvantage is that it would look nothing like the existing Apache
configuration format.

Thoughts?

Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shenson [at] opensslfoundation


ruediger.pluem at vodafone

Feb 2, 2012, 6:22 AM

Post #2 of 6 (266 views)
Permalink
RE: OpenSSL configuration and mod_ssl [In reply to]
> -----Original Message-----
> From: Dr Stephen Henson [mailto:shenson [at] opensslfoundation]
> Sent: Donnerstag, 2. Februar 2012 15:14
> To: dev [at] httpd
> Subject: OpenSSL configuration and mod_ssl
>
> Guys,
>
> It has been apparent for some time that mod_ssl (and other applications)
> require
> a considerable effort to support new features in OpenSSL.
>
> A simple example is when a new flag is added which some, but not all,
> users may
> want to set. Once this flag appears in an OpenSSL release every OpenSSL
> based
> application needs to be modified to support and document it.
> Specification of
> this option might be via a command line option or (in the case of
> mod_ssl and
> others) a configuration file.
>
> It would IMHO be far better if a mechanism existed to support automatic
> configuration of some options by conforming applications.
>
> There is a current example where this works well: the cipher string.
> With the
> inclusion of TLS v1.2 in the upcoming OpenSSL 1.0.1 release several new
> ciphersuites based on SHA256 and GCM have appeared. An application
> generally
> doesn't need to know or care what these are. A user can enable or
> disable them
> by just using the cipher string: it is passed as an opaque string which
> OpenSSL
> interprets.
>
> So my thoughts are that this concept could be generalised.
>
> A simple answer is to add new string setting options. For example:
>
> int SSL_CTX_set_options_string(SSL_CTX *ctx, const char *str);

+1 in principle. Could be handy for mod_ssl.

>
> This works for existing simple configuration but a new string (for
> example TLS
> 1.2 supported signature algorithms) might be added in the future so then
> we're
> back to having to explicitly add support to all applications for each
> new string
> configuration option.
>
> So perhaps:
>
> int SSL_CTX_set_config_string(SSL_CTX *ctx,
> const char *name, const char *value);
>
> Where the values of "name" can expand over time.

+1 same as above.

>
> I'm not completely sure that this could be handled by the mod_ssl
> configuration routines, perhaps someone could comment on that?
>
> A third method is to delegate the configuration completely to OpenSSL
> using a
> separate configuration file. So, we'd have an option to set the
> configuration
> file to use and then something like:
>
> int SSL_CTX_config(SSL_CTX *ctx, const char *config_name);

-0 from mod_ssl perspective. How do you configure which configuration file to use in this case?
If it is the system wide one I don't regard this as beneficial as a web server operator might
not have write access to it.


Regards

Rüdiger


shenson at opensslfoundation

Feb 2, 2012, 6:50 AM

Post #3 of 6 (268 views)
Permalink
Re: OpenSSL configuration and mod_ssl [In reply to]
On 02/02/2012 14:22, "Plüm, Rüdiger, VF-Group" wrote:
>
>>
>> It has been apparent for some time that mod_ssl (and other applications)
>> require
>> a considerable effort to support new features in OpenSSL.
>>
>>
>> A third method is to delegate the configuration completely to OpenSSL
>> using a
>> separate configuration file. So, we'd have an option to set the
>> configuration
>> file to use and then something like:
>>
>> int SSL_CTX_config(SSL_CTX *ctx, const char *config_name);
>
> -0 from mod_ssl perspective. How do you configure which configuration file to use in this case?
> If it is the system wide one I don't regard this as beneficial as a web server operator might
> not have write access to it.
>

Sorry should've explained that bit. The configuration file to use wouldn't be
hard coded. There would be a separate API which would allow an application to
decide which configuration file to use. It could be either a system wide one or
a local one dealing with mod_ssl only.

Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shenson [at] opensslfoundation


httpd-dev.2012 at velox

Feb 3, 2012, 11:32 PM

Post #4 of 6 (262 views)
Permalink
Re: OpenSSL configuration and mod_ssl [In reply to]
On 02.02.2012 15:13, Dr Stephen Henson wrote:
> So perhaps:
>
> int SSL_CTX_set_config_string(SSL_CTX *ctx,
> const char *name, const char *value);
>
> Where the values of "name" can expand over time.

I'm more in favor of this one - i.e., allow configuration through
key-value pairs (you could do that with the other variant by stuffing
them into a single string, but then there's the question of what
separator to use etc.)

> I'm not completely sure that this could be handled by the mod_ssl
> configuration routines, perhaps someone could comment on that?

Similar to the parameter handling in directives like "Define" or
"SetEnv", I think. "SSLSetOpenSSLOption" e.g.?

> int SSL_CTX_config(SSL_CTX *ctx, const char *config_name);
>
> Where "config_name" is a named configuration option in the OpenSSL configuration
> file. This has the substantial advantage that there would
> then be one configuration file format used by all OpenSSL applications.
> The disadvantage is that it would look nothing like the existing Apache
> configuration format.

Maybe mod_ssl could offer both - a directive for configuring via
key-value pairs for "simple" cases, and a config file based way for
complex setups. (In some way, it's what PHP currently does with the
php_value/php_admin_value directives and php.ini.)

BTW: I would like to see SSL_set_config_string(), too - for those
mod_ssl options which can be set on a per-directory basis.

Kaspar


minfrin at sharp

Feb 4, 2012, 3:47 AM

Post #5 of 6 (262 views)
Permalink
Re: OpenSSL configuration and mod_ssl [In reply to]
On 02 Feb 2012, at 4:13 PM, Dr Stephen Henson wrote:

> So my thoughts are that this concept could be generalised.
>
> A simple answer is to add new string setting options. For example:
>
> int SSL_CTX_set_options_string(SSL_CTX *ctx, const char *str);
>
> This works for existing simple configuration but a new string (for example TLS
> 1.2 supported signature algorithms) might be added in the future so then we're
> back to having to explicitly add support to all applications for each new string
> configuration option.

This came up during the design of the apr_crypto interface, which also required hard coded constants originally.

What we ended up with is a string modeled on the argv string (ie whitespace separated tokens, with support for quoting). The reason for this was that some crypto backends (Mozilla NSS primarily) required support for filesystem paths, which meant spaces, which meant quoting:

crypto_make():

https://svn.apache.org/repos/asf/apr/apr/trunk/crypto/apr_crypto_openssl.c

Regards,
Graham
--
Attachments: smime.p7s (4.26 KB)


shenson at opensslfoundation

Feb 4, 2012, 6:10 AM

Post #6 of 6 (262 views)
Permalink
Re: OpenSSL configuration and mod_ssl [In reply to]
On 04/02/2012 07:32, Kaspar Brand wrote:
> On 02.02.2012 15:13, Dr Stephen Henson wrote:
>>
>> int SSL_CTX_config(SSL_CTX *ctx, const char *config_name);
>>
>> Where "config_name" is a named configuration option in the OpenSSL configuration
>> file. This has the substantial advantage that there would
>> then be one configuration file format used by all OpenSSL applications.
>> The disadvantage is that it would look nothing like the existing Apache
>> configuration format.
>
> Maybe mod_ssl could offer both - a directive for configuring via
> key-value pairs for "simple" cases, and a config file based way for
> complex setups. (In some way, it's what PHP currently does with the
> php_value/php_admin_value directives and php.ini.)
>

I agree some of the more complex operations might need nested configuration
options (for example setting verification policies).

It should be possible to setup most options for an SSL_CTX or SSL structure this
way, including which key(s) and certificate(s) to use, though not sure mod_ssl
would make use of that.

> BTW: I would like to see SSL_set_config_string(), too - for those
> mod_ssl options which can be set on a per-directory basis.
>

Yes I certainly plan to have an equivalent for SSL structures too.

Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shenson [at] opensslfoundation

Apache dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.