shenson at opensslfoundation
Feb 2, 2012, 6:13 AM
Post #1 of 6
OpenSSL configuration and mod_ssl
It has been apparent for some time that mod_ssl (and other applications) require
a considerable effort to support new features in OpenSSL.
A simple example is when a new flag is added which some, but not all, users may
want to set. Once this flag appears in an OpenSSL release every OpenSSL based
application needs to be modified to support and document it. Specification of
this option might be via a command line option or (in the case of mod_ssl and
others) a configuration file.
It would IMHO be far better if a mechanism existed to support automatic
configuration of some options by conforming applications.
There is a current example where this works well: the cipher string. With the
inclusion of TLS v1.2 in the upcoming OpenSSL 1.0.1 release several new
ciphersuites based on SHA256 and GCM have appeared. An application generally
doesn't need to know or care what these are. A user can enable or disable them
by just using the cipher string: it is passed as an opaque string which OpenSSL
So my thoughts are that this concept could be generalised.
A simple answer is to add new string setting options. For example:
int SSL_CTX_set_options_string(SSL_CTX *ctx, const char *str);
This works for existing simple configuration but a new string (for example TLS
1.2 supported signature algorithms) might be added in the future so then we're
back to having to explicitly add support to all applications for each new string
int SSL_CTX_set_config_string(SSL_CTX *ctx,
const char *name, const char *value);
Where the values of "name" can expand over time.
I'm not completely sure that this could be handled by the mod_ssl
configuration routines, perhaps someone could comment on that?
A third method is to delegate the configuration completely to OpenSSL using a
separate configuration file. So, we'd have an option to set the configuration
file to use and then something like:
int SSL_CTX_config(SSL_CTX *ctx, const char *config_name);
Where "config_name" is a named configuration option in the OpenSSL configuration
file. This has the substantial advantage that there would
then be one configuration file format used by all OpenSSL applications.
The disadvantage is that it would look nothing like the existing Apache
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
shenson [at] opensslfoundation