Access to SSL_CTX
dtoubelis opened this issue · 5 comments
Hi,
I'm trying to write SSL server using your library and I intend to heavily customize SSL context. The issue I'm having is that SSL_CTX
is only available when server is started. This poses two issues for me:
- SSL server starts with some default configuration and will run with configuration for a brief moment meaning it in theory will be able to accept SSL connections before all security settings are applied. This is miniscule but still security flaw in the design.
- OpenSSL documentation is explicitly suggest against modifying
SSL_CTX
after it had been used to create SSL sessions, which is always a possibility with the current API.
Here are some suggestions you may consider:
- leave it to the API user to create an
SSL_CTX
of their liking. - pass the
SSL_CTX
toad_server_start()
or as an option ofad_server
(orNULL
if no SSL support is needed). - remove
server.enable_ssl
,server.ssl_cert
,server.ssl_pkey
server options - optionally, provide an utility method to create simple
SSL_CTX
as a starting point for simple applications, something along these linesSSL_CTX *ad_create_ssl_context (const char *cert_path, const char *priv_key_path)
.
Also, it seems that you do OpenSSL library initialization during ad_server_start()
call. This initialization is usually done in the beginning of main()
method, so for embeddable server this isn't the right place to do it. Another reason to segregate SSL_CTX
creation.
Hi, Dmitri,
Sounds good to me. If you'd like to work the improvements, I'd love to see your patch. For now, I'm having very busy time so please allow me to get back to all your posting on this weekend.
If you generally agree with the approach then I can definitely do that.
I'm trying to use it as an HTTPS frontend for ZeroMQ based application and it looks promising so far.
Oh yeah, I've read your 2 postings above and agree with you. The rest of postings you posted separately I didn't have a chance to look at yet but will take a look shortly and leave my comments there in this week. Thanks.
Thank you for the improvement.