                       _             _ 
   _ __ ___   ___   __| |    ___ ___| |  
  | '_ ` _ \ / _ \ / _` |   / __/ __| |  
  | | | | | | (_) | (_| |   \__ \__ \ |  mod_ssl - Apache Interface to SSLeay  
  |_| |_| |_|\___/ \__,_|___|___/___/_|  http://www.engelschall.com/sw/mod_ssl/
                       |_____|         
  _____________________________________________________________________________


  Wishes
  ------

  The following is a list of any types of wishes the users or the author
  of mod_ssl wants to see in future releases.

  *) Ralf S. Engelschall, Konstantin Agouros <Konstantin_Agouros@genua.de>:
 
     We want to see a better support for direct access control through the
     Client Certificate. The idea is to rewrite Strongholds SSL_Require
     directive for mod_ssl which would provide flexible Certifcate Screening.
     The argument to SSL_Require is a boolean expression which tests various
     Certificate parts against strings and regex. If the expression evaluates
     to true access is allowed, else access is denied.
 
     Status: I've already started to reimplement this with Flex/Bison
             but I need some more time to get it working. Perhaps for
             the final 2.1.0 release it's ready.

  *) Ralf S. Engelschall:

     ``I want to see "SSLSessionCache shm" which uses SysV IPC Shared Memory
     to store the inter-process session cache.''

     Status: I've already started to write a shared memory based
             hash module, but want to the mm_alloc library from Charles Randall
             <crandall@matchlogic.com> which provides a shared memory based
             malloc(). Currently he is in contact with his company about
             releasing this library under a BSD-style license so it can be used
             by mod_ssl.

  *) Ralf S. Engelschall

     ``We should provide configuration options for the new HTTPS part
       of mod_proxy. For instance the used ciphers or the certs, etc.''

  *) Oscar Jacobsson <oscar@medcom.se>:

     ``Would it be a problem for you to have mod_ssl pass on the serial number
     of the client cert along with DN etc. as an environment variable?  This
     would make revocation control a lot easier, since CRL's are indexed by
     certificate serial number.  Even better, if mod_ssl took a configuration
     directive like "SSLCertificateRevocationListPath" pointing to a directory
     containing the CRL's for all/any given trusted CA's...  Just a
     suggestion.  Please keep up the good work.''

     State: No problem, will be added in next releases.

  *) Lai Yiu Fai <ccyflai@ust.hk>:
 
     ``Have anyone think about incorporating LDAP as the backend storage of
     certificate database for mod_ssl?  Right now, it uses SSLFakeBasicAuth to
     translate client certificate into a basic authorization header for
     authentication.  It would be rather clumsy and not easy to maintain.  It
     would be great if mod_ssl can follow Netscape Server in handling SSL
     client authentication:
     1) extract the client certificate subject
     2) match predefined attributes e.g. mail, cn, uid, ... from X.509 subject
     3) search against LDAP with these filters
     4) compare the certificate attribute with the matched DN
     5) if compare OK, authentication succeed.''
    
     Possible LDAP libraries to use: 
     o The OpenLDAP Project [BEST]
       http://www.OpenLDAP.org/
     o The reference implementation LDAP 3.3:
       http://www.umich.edu/~dirsvcs/ldap/ldap.html 
     o Netscape Directory SDK 
       http://www.mozilla.org/directory/

     Ideas and hints can be taken from:
     o LDAP basic authentication module based on Norman Richards:
       http://www.cs.utexas.edu/users/orb/projects/mod_auth_ldap.c 

     State: Good suggestion, but this has to be contributed by someones
            else, because the author has no experiences with LDAP.

  *) Ralf S. Engelschall:
  
     ``It would be nice to have mod_status enhanced for displaying SSL
     information similar to what Stronghold provides.''

     State: Should be not too hard. The Scoreboards needs to be
            extended to allow mod_status to display the information.  When I
            find time this is will be added in one of the next releases.

  *) Holger Reif <Holger.Reif@PrakInf.TU-Ilmenau.DE>:

     He suggests to split out the SSLFakeBasicAuth functionality into a
     separate module because it's an additional stand-alone feature.  Here
     it's only important to find a protocol between the modules for the
     following things:
        - Sharing session context (because of individual cert-checks)
        - Renegotiation (because the client cert is required only
          for a particular directory)

     Status: Holger already started a little project about this at his
             University. Perhaps the result will be contributed to mod_ssl.

  *) Holger Reif <Holger.Reif@PrakInf.TU-Ilmenau.DE>:

     He suggests to add a ``make request'' to create a CSR and which gives a
     hint about SSLCertificateFile/SSLCertificateKeyFile.

     Status: Good suggestion and will be added for next releases.

  *) Holger Reif <Holger.Reif@PrakInf.TU-Ilmenau.DE>:
    
     He suggests that ``make certificarte'' does not create a self-signed
     certificate (because it makes troubles for instance in MSIE).  Instead it
     should also create a CA cert and install it.  Only the hostname should be
     required or determined automatically and inserted into both the CA-cert
     and the Server-cert.
     Example: CA: O=mod_ssl Test CA, OU=Server.name, CN=TestCA
              ServerCert: O=mod_ssl Test, CN=server.name

     Status: Holger also wants to contribute some scripts for
             achieving this easily without fiddling to much with the "ssleay
             ca" command.

  *) Ralf S. Engelschall:

     ``I want an Apache+mod_ssl Test Suite. Perhaps via SSLeay's s_client or
     Perl's SSLeay interface?''

     Status: Will be done in the future but I currently don't know for 
             which release. At least I'll start using this locally for
             development.

  *) Ralf S. Engelschall:

     ``My personal major wish is a compact and easy to install package which
     aids in CA cert loading and especially Client Authentication setup.  The
     existing scripts I know of work but also should be assembled together
     into a user friendly package which can be optionally installed. The best
     start is the HTML and Perl stuff in the article from F.J.Hirsch under
     http://www.camb.opengroup.org/RI/www/prism/wwwj/. It would be nice to
     have mixture of `apachectl' and the `ssleay' interactive mode.''
    
     Status: If anyone is interested to contribute or at least is volunteering
             in cleaning up and integrating this stuff, I would be happy. If
             not perhaps I'll write it myself, but this needs some time...

  *) Ralf S. Engelschall:
    
     ``Another wish is that I find time to move my CVS repository from the
     Intranet to my Internet machines and allow direct access (read-only) to
     the users and perhaps even write-access for selected contributors.
     Because this way at least the users can stay up-to-date even between
     releases and can even checkout an already patched Apache source tree.
     Because currently mod_ssl is staying in a CVS tree together with Apache
     and SSLeay on vendor branches and mod_ssl on the HEAD branch. This works
     fine and people could benefit from access to this, too.''

     Status: The mod_ssl-SNAP/ is already available through RSync. The
             complete repository is not available because it stays at my home
             and not on the Internet. Perhaps this will be changes in the
             future. Currently there is no real need, isn't it?

  *) Ralf S. Engelschall:
  
     ``One more wish is to provide DSO support for mod_ssl. But is is very
     hard because of the Apache API which lacks one important hook. Without
     this its currently impossible, but.... it's a wish! The benefit? <grin>
     You could startup tiny Apache's on port 80 and larger SSL-aware Apache's
     on port 443 with the same Apache installation. Because SSL-aware httpd
     processes are larger and for large sites a lot of them are needed.''

     Status: Not planned before 2.2.x because for this the Apache API
             has to be extended and I'm not sure if it's worth the effort.

  *) Andrew Ford <andrew@icarus.demon.co.uk>:
  
     ``One way I had thought of for supporting pass-phrases more securely on
     machines that are exposed to the Internet was to start the web server
     from another system situated behind a firewall.  The public system might
     have to have a way of notifying the internal system that the web server
     should be started or restarted (or maybe the internal machine would
     monitor the public machine continuously).  A process on the internal
     machine could start the web server remotely using a combination of SSH
     and "expect" to send the pass-phrase.  In this way the pass-phrase is not
     stored on the public machine.  I've not actually implemented this --
     although I have used SSH and expect for inter-process communication
     through firewalls without operator intervention -- but I am thinking of
     something like this sort of setup for one of my clients.  Of course one
     could possibly extend mod_ssl so that the use of some sort of secure
     channel to a separate co-process (on another system) to obtain the pass
     phrase was built-in.  But if you are worried about a public server being
     compromised then you cannot really trust any configuration files stored
     on the public system and everything should probably be initiated from the
     more-secure, internal system.''

     Status: It's too much to implement this directly inside Apache+mod_ssl,
             so mod_ssl 2.1 provides at least a plug-in interface
             (`SSLPassPhraseDialog exec:/path/to/program') which can be used to
             connect an external program to mod_ssl which then provides the
             pass phrase. But it would be nice if someone now at least
             contributes such a program (perhaps a Perl script) which receives
             the pass phrase via SSH or other mechanism from a remote machine
             in a secure way.

  *) Andrew Ford <andrew@icarus.demon.co.uk>:

     ``Another variant on this would be to allow 'SSLPassPhraseDialog fd1
     fd2', i.e. Apache/ssl_mod started with file descriptors fd1 and fd2 open
     (for reading and writing respectively) on a pipe to the external process.
     In this scenario the script that starts Apache (securely) would ensure
     that there was a pipe open that would provide the pass phrase (obviously
     these file desciptors should be closed when child server processes are
     started).  I think this would be my preferred option.''

     Status: This filedescriptor passing is a nice idea but not very
             portable. But perhaps we can add it in the future...

  *) Ralf S. Engelschall:

     ``I want to see at least minimal support for Certificate Revocation Lists
     (CRLs). Netscape supports this minimally and so mod_ssl should support at
     least this.''

     Status: I've not thought about it in-depth up to now. 

  *) Holger Reif and Ralf S. Engelschall:
   
     ``And then, what about checking wether the SSL VHost
     is really an IP-based Host and refusing to work
     with a particular NameBased VHost with some meanigfull
     warning?''

