[Devel] TLS ...

[Klaus Darilion]

Hi!

I've written a small tlsops module with the function is_peer_verified() 
which allows to check if the request was received via validated TLS 
connection.

This is done via:
1. get tcp connection of received msg
2. get extra data (= SSL)
3. SSL_get_verify_result(ssl);

This can be easily extended to fetch certificate parameters.

Consider a scenario where a TLS connection is setup and stays open for a 
long time and there are lots of messages received via this connection.

Then, using the above steps might be a little bit complicated. Maybe it 
might perform better to retrieve interesting parameters (common name, 
issuer, ...) only once during tls_accept/tcp_connect and store them 
together with the tcp connection (e.g. tcp_connection->extra_data2).

Thus, retrieving TLS parameters does not require to retrieve the 
parameters from the openssl stack, but from the tcp_connection 
structure. I do not know if this is really a performance gain - depends 
on the handling inside of openssl.

Further: tcp_connection->extra_data
Is this used only for storing SSL? If yes, maybe we should rename it to
tcp_connection->ssl ?

regards
klaus