On 12 Mar 2018, at 16:41, Adam Bishop <Adam.Bishop@jisc.ac.uk> wrote:
On 12 Mar 2018, at 12:01, Alan DeKok <aland@deployingradius.com> wrote:
If anyone can take a look at how Apache does it, that would help. Simply knowing which OpenSSL calls to do, and in what order, will solve 99% of the problem.
I looked at the changes from NGINX - they wrap all of openssl's method calls, but it looks like you "just" call the OpenSSL api call that adds a key pair multiple times.
mod_ssl is 100x less concise than NGINX, but the same seems to happen. Unfortunately they don't have a single changes when support was added - key agility support magically appears in this refactor: https://github.com/apache/httpd/commit/d2344cb7ea7585f4c413045f2b1189802d8de... Same rough process, except much more verbose and then followed by a ton of alternative key loading mechanisms. I can't find any evidence that the ctx is initialised - the only requirement seems to be openssl 1.0.2+. Loop over the configuration array: https://github.com/apache/httpd/blob/2b9e9b4c4226c22d9f5c489661507e7547de051... Call load cert: https://github.com/apache/httpd/blob/2b9e9b4c4226c22d9f5c489661507e7547de051... Call load key: https://github.com/apache/httpd/blob/2b9e9b4c4226c22d9f5c489661507e7547de051... Rinse, repeat. Adam Bishop gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460 jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.