On Fri, Jan 11, 2008 at 07:28:00PM +0100, Dr. Stephen Henson wrote:

> On Fri, Jan 11, 2008, Rodney Thayer wrote:
>
> >
> > I wonder if apache-ssl supports ECC...
> >

>
> Apache currently has algorithm specific code for keys and certificates with
> only RSA and DSA included as standard. That means each new public key
> algorithm needs to be added as a special case.


Is this a historical accident or deliberate choice? The easy way to
install certs with recent OpenSSL releases is not algorithm dependent...

/* Import cert */
if (SSL_CTX_use_certificate_chain_file(ctx, cert_file) <= 0) {
tls_print_errors();
return (0);
}
/* Import key */
if (SSL_CTX_use_PrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM) <= 0) {
tls_print_errors();
return (0);
}
/* Check that key matches cert */
if (!SSL_CTX_check_private_key(ctx))
return (0);
return (1);

Just call this N times (with 0.9.9 N <= 3) for N matching cert/key pairs
for a supported algorithm. Is Apache using an older API? Are they getting
some benefit from using lower-level algorithm-specific code?

--
Viktor.
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org