On Fri, Jan 11, 2008, Victor Duchovni wrote:

> On Fri, Jan 11, 2008 at 07:28:00PM +0100, Dr. Stephen Henson wrote:
>
> > On Fri, Jan 11, 2008, Rodney Thayer wrote:
> >
> > >
> > > I wonder if apache-ssl supports ECC...
> > >

> >
> > Apache currently has algorithm specific code for keys and certificates with
> > only RSA and DSA included as standard. That means each new public key
> > algorithm needs to be added as a special case.

>
> Is this a historical accident or deliberate choice? The easy way to
> install certs with recent OpenSSL releases is not algorithm dependent...
>
> /* Import cert */
> if (SSL_CTX_use_certificate_chain_file(ctx, cert_file) <= 0) {
> tls_print_errors();
> return (0);
> }
> /* Import key */
> if (SSL_CTX_use_PrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM) <= 0) {
> tls_print_errors();
> return (0);
> }
> /* Check that key matches cert */
> if (!SSL_CTX_check_private_key(ctx))
> return (0);
> return (1);
>
> Just call this N times (with 0.9.9 N <= 3) for N matching cert/key pairs
> for a supported algorithm. Is Apache using an older API? Are they getting
> some benefit from using lower-level algorithm-specific code?
>


It is using an older API in a number of places. The initial benefit was to
perform serialisation of keys but there have been portable ways to do that
without serialisation for some time.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Homepage: http://www.drh-consultancy.demon.co.uk
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org