Re: More detailed review of Ryan's filtering patch

[Ben Laurie <be...@algroup.co.uk>]

Bill Stoddard wrote:
> 
> > Any one of:
> >
> >   Filters (allowing integrated SSL)
> 
> I think the simple iol goes a long way to making SSL integrate seamlessly. Allan Edwards
> here at IBM has enabled SSL (using IBM's gskit library) and I don't think it required any
> hits to the core with one exception... I think he had to work around the sendfile path in
> the default handler.

I also did this for Apache-SSL a while back - but sendfile wasn't used
then. The hit on the core should be made unnecessary, though.

The only thing about adding SSL via IOL was that the method turned out a
little ugly (because there was a kind of weird interaction between two
levels of code that had other code in between them) but I haven't really
thought very deeply about how to fix that elegantly. I'm sure it can be
done.

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html

Coming to ApacheCon Europe 2000? http://apachecon.com/

Re: More detailed review of Ryan's filtering patch

[Ben Laurie <be...@algroup.co.uk>]

James Sutherland wrote:
> 
> On Tue, 25 Jul 2000, Ben Laurie wrote:
> 
> > Bill Stoddard wrote:
> > >
> > > > Any one of:
> > > >
> > > >   Filters (allowing integrated SSL)
> > >
> > > I think the simple iol goes a long way to making SSL integrate seamlessly. Allan Edwards
> > > here at IBM has enabled SSL (using IBM's gskit library) and I don't think it required any
> > > hits to the core with one exception... I think he had to work around the sendfile path in
> > > the default handler.
> >
> > I also did this for Apache-SSL a while back - but sendfile wasn't used
> > then. The hit on the core should be made unnecessary, though.
> >
> > The only thing about adding SSL via IOL was that the method turned out a
> > little ugly (because there was a kind of weird interaction between two
> > levels of code that had other code in between them) but I haven't really
> > thought very deeply about how to fix that elegantly. I'm sure it can be
> > done.
> 
> If you're working over an SSL connection, sendfile() isn't usable anyway,
> surely - it doesn't allow the traffic to be encrypted between disk and
> network? In this case, just disabling sendfile() usage for SSL connections
> (per connection or per server??) should do?
> 
> If Apache still works without sendfile() present on the OS, this could
> certainly be done server-wide at compile time - how much harder to do per
> connection??

Right, its no big deal, my point was that the code needs fixing so it
becomes possible without a patch.

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html

Coming to ApacheCon Europe 2000? http://apachecon.com/

Re: More detailed review of Ryan's filtering patch

[James Sutherland <ja...@cam.ac.uk>]

On Tue, 25 Jul 2000, Ben Laurie wrote:

> Bill Stoddard wrote:
> > 
> > > Any one of:
> > >
> > >   Filters (allowing integrated SSL)
> > 
> > I think the simple iol goes a long way to making SSL integrate seamlessly. Allan Edwards
> > here at IBM has enabled SSL (using IBM's gskit library) and I don't think it required any
> > hits to the core with one exception... I think he had to work around the sendfile path in
> > the default handler.
> 
> I also did this for Apache-SSL a while back - but sendfile wasn't used
> then. The hit on the core should be made unnecessary, though.
> 
> The only thing about adding SSL via IOL was that the method turned out a
> little ugly (because there was a kind of weird interaction between two
> levels of code that had other code in between them) but I haven't really
> thought very deeply about how to fix that elegantly. I'm sure it can be
> done.

If you're working over an SSL connection, sendfile() isn't usable anyway,
surely - it doesn't allow the traffic to be encrypted between disk and
network? In this case, just disabling sendfile() usage for SSL connections
(per connection or per server??) should do?

If Apache still works without sendfile() present on the OS, this could
certainly be done server-wide at compile time - how much harder to do per
connection??


James.