You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Martin Kraemer <Ma...@Fujitsu-Siemens.com> on 2001/04/25 16:20:09 UTC
[martin: Cron CRONJOBS/httpd-2.0-build]
Do you get build errors in Apache-2.0 too? I enabled the TLS module, and
it keeps breaking for a couple of days now in my nightly regression test:
Making all in tls
/bin/sh /home/com5/martin/pgtm0035/apachen/X/httpd-2.0/libtool --silent --mode=compile gcc -I.
+-I/home/com5/martin/pgtm0035/apachen/X/httpd-2.0/modules/tls
+-I/home/com5/martin/pgtm0035/apachen/X/httpd-2.0/server/mpm/prefork
+-I/home/com5/martin/pgtm0035/apachen/X/httpd-2.0/modules/http
+-I/home/com5/martin/pgtm0035/apachen/X/httpd-2.0/include
+-I/home/com5/martin/pgtm0035/apachen/X/httpd-2.0/srclib/apr/include
+-I/home/com5/martin/pgtm0035/apachen/X/httpd-2.0/srclib/apr-util/include
+-I/usr/local/ssl/include/openssl -I/home/com5/martin/pgtm0035/apachen/X/httpd-2.0/modules/dav/main
+-I/home/com5/martin/pgtm0035/apachen/X/httpd-2.0/os/unix -D_REENTRANT -D_THREAD_SAFE -D_REENTRANT
+-D_THREAD_SAFE -DNO_DBM_REWRITEMAP -c mod_tls.c && touch mod_tls.lo
mod_tls.c: In function `tls_out_filter':
mod_tls.c:298: too few arguments to function `churn'
mod_tls.c:310: too few arguments to function `churn'
*** Error code 1
Stop in /home/com5/martin/pgtm0035/apachen/X/httpd-2.0/modules/tls.
*** Error code 1
If there is no one who actually cares for the mod_tls baby, I propose to
delete it entirely and replace it by a REAL solution, based on Ralf's
mod_ssl. The current "implemetation" of mod_tls is a a PITA, nothing
more than an (abandoned) proof-of-concept IMHO. As it stands, no ISP
would even consider to switch to httpd-2.0+mod_tls from apache_1.3.x+mod_ssl.
Sorry to be so honest about it, Ben, but that's how I see it.
Martin
--
<Ma...@Fujitsu-Siemens.com> | Fujitsu Siemens
Fon: +49-89-636-46021, FAX: +49-89-636-41143 | 81730 Munich, Germany
Re: [martin: Cron CRONJOBS/httpd-2.0-build]
Posted by David Reid <dr...@jetnet.co.uk>.
> If there is no one who actually cares for the mod_tls baby, I propose to
> delete it entirely and replace it by a REAL solution, based on Ralf's
> mod_ssl. The current "implemetation" of mod_tls is a a PITA, nothing
> more than an (abandoned) proof-of-concept IMHO. As it stands, no ISP
> would even consider to switch to httpd-2.0+mod_tls from
apache_1.3.x+mod_ssl.
Given that Ben has just been on holiday for 3 weeks and so hasn't had much
of an opportunity to answer any emails un til Tuesday, let alone do any
coding, what do you expect!
>
> Sorry to be so honest about it, Ben, but that's how I see it.
Ben has been honest about what the module can/can't do and has never said
it's "finished" or anything other than a work in progress.
The problems are all small and mainly configure related, so give it time.
david
Re: [martin: Cron CRONJOBS/httpd-2.0-build]
Posted by Martin Kraemer <Ma...@Fujitsu-Siemens.com>.
On Thu, Apr 26, 2001 at 07:00:37PM +0200, Clere Jean-Frederic FSC EP LP COM 5 wrote:
>
> The one enclosed should not break the other machines... Now mod_tls works on my
> machines, that is a nice test/demo tool!
Committed, thanks!.
Martin
--
<Ma...@Fujitsu-Siemens.com> | Fujitsu Siemens
<ma...@apache.org> | 81730 Munich, Germany
Re: [martin: Cron CRONJOBS/httpd-2.0-build]
Posted by jean-frederic clere <jf...@fujitsu-siemens.com>.
Clere Jean-Frederic FSC EP LP COM 5 wrote:
>
> Greg Stein wrote:
> >
> > On Wed, Apr 25, 2001 at 07:10:56PM +0200, jean-frederic clere wrote:
> > >...
> > > In configure a is little more is need (openssl version check, someone have to do
> > > it):
> >
> > We've already known that a lot of config stuff needs to happen. The change
> > below isn't going to be quite right because it may work on *your* machine,
> > but it will break on somebody elses.
>
> Agreed, (sorry) the m4 patches surely breaks something. I will try to propose a
> new one.
The one enclosed should not break the other machines... Now mod_tls works on my
machines, that is a nice test/demo tool!
>
> > The configure process needs to move to
> > a more flexible "look in a bunch of areas" type of search.
> >
> > Cheers,
> > -g
> >
> > --
> > Greg Stein, http://www.lyra.org/
Re: [martin: Cron CRONJOBS/httpd-2.0-build]
Posted by jean-frederic clere <jf...@fujitsu-siemens.com>.
Greg Stein wrote:
>
> On Wed, Apr 25, 2001 at 07:10:56PM +0200, jean-frederic clere wrote:
> >...
> > In configure a is little more is need (openssl version check, someone have to do
> > it):
>
> We've already known that a lot of config stuff needs to happen. The change
> below isn't going to be quite right because it may work on *your* machine,
> but it will break on somebody elses.
Agreed, (sorry) the m4 patches surely breaks something. I will try to propose a
new one.
> The configure process needs to move to
> a more flexible "look in a bunch of areas" type of search.
>
> Cheers,
> -g
>
> --
> Greg Stein, http://www.lyra.org/
Re: [martin: Cron CRONJOBS/httpd-2.0-build]
Posted by Greg Stein <gs...@lyra.org>.
On Wed, Apr 25, 2001 at 07:10:56PM +0200, jean-frederic clere wrote:
>...
> In configure a is little more is need (openssl version check, someone have to do
> it):
We've already known that a lot of config stuff needs to happen. The change
below isn't going to be quite right because it may work on *your* machine,
but it will break on somebody elses. The configure process needs to move to
a more flexible "look in a bunch of areas" type of search.
Cheers,
-g
--
Greg Stein, http://www.lyra.org/
Re: [martin: Cron CRONJOBS/httpd-2.0-build]
Posted by jean-frederic clere <jf...@fujitsu-siemens.com>.
Clere Jean-Frederic FSC EP LP COM 5 wrote:
>
> "Kraemer, Martin" wrote:
> >
> > It appears that nobody really ever uses (or even compiles) this module.
>
> It seems so,
Oops, Sorry that is just a small problem in configure...
mod_tls should also check for some openssl-0.9.6 routines like
ERR_error_string_n() because it uses it! (Therefore I will go on tomorrow
because I have to install a new openssl).
To get mod_tls compiled was a matter of some minutes... (But will it works ;=)!)
Patches:
+++
===================================================================
RCS file: /home/cvs/apache/httpd-2.0/modules/tls/mod_tls.c,v
retrieving revision 1.5
diff -u -r1.5 mod_tls.c
--- mod_tls.c 2001/04/22 22:19:31 1.5
+++ mod_tls.c 2001/04/25 16:51:39
@@ -280,6 +280,7 @@
{
TLSFilterCtx *pCtx=f->ctx;
apr_bucket *pbktIn;
+ apr_size_t zero = 0;
APR_BRIGADE_FOREACH(pbktIn,pbbIn) {
const char *data;
@@ -295,7 +296,7 @@
ret=churn_output(pCtx);
if(ret != APR_SUCCESS)
return ret;
- ret=churn(pCtx,APR_NONBLOCK_READ);
+ ret=churn(pCtx,APR_NONBLOCK_READ,&zero);
if(ret != APR_SUCCESS)
if(ret == APR_EOF)
return APR_SUCCESS;
@@ -307,7 +308,7 @@
if(APR_BUCKET_IS_FLUSH(pbktIn)) {
// assume that churn will flush (or already has) if there's output
- ret=churn(pCtx,APR_NONBLOCK_READ);
+ ret=churn(pCtx,APR_NONBLOCK_READ,&zero);
if(ret != APR_SUCCESS)
return ret;
continue;
+++
In configure a is little more is need (openssl version check, someone have to do
it):
+++
Index: config.m4
===================================================================
RCS file: /home/cvs/apache/httpd-2.0/modules/tls/config.m4,v
retrieving revision 1.3
diff -u -r1.3 config.m4
--- config.m4 2001/02/12 16:50:21 1.3
+++ config.m4 2001/04/25 16:53:43
@@ -18,10 +18,10 @@
LIBS="$LIBS -L$withval -lssl -lcrypto"
ssl_lib="OpenSSL"
else
- searchfile="$withval/openssl/ssl.h"
+ searchfile="$withval/include/openssl/ssl.h"
if test -f $searchfile ; then
- INCLUDES="$INCLUDES -I$withval/openssl"
- LIBS="$LIBS -L$withval -lssl -lcrypto"
+ INCLUDES="$INCLUDES -I$withval/include"
+ LIBS="$LIBS -L$withval/lib -lssl -lcrypto"
ssl_lib="OpenSSL"
else
AC_MSG_ERROR(no - Unable to locate $withval/inc/ssl.h)
+++
Cheek it and commit it.
Cheers
Jean-frederic
+++ CUT +++
Re: [martin: Cron CRONJOBS/httpd-2.0-build]
Posted by jean-frederic clere <jf...@fujitsu-siemens.com>.
"Kraemer, Martin" wrote:
>
> It appears that nobody really ever uses (or even compiles) this module.
It seems so, because the fix I have tried just shows one more problem:
+++
Making all in tls
make[2]: Entering directory `/home2/apache20/apache/httpd-2.0/modules/tls'
make[3]: Entering directory `/home2/apache20/apache/httpd-2.0/modules/tls'
/bin/sh /home2/apache20/apache/httpd-2.0/libtool --silent --mode=compile gcc
-I. -I/home2/apache20/apache/httpd-2.0/modules/tls
-I/home2/apache20/apache/httpd-2.0/server/mpm/threaded
-I/home2/apache20/apache/httpd-2.0/modules/http
-I/home2/apache20/apache/httpd-2.0/include
-I/home2/apache20/apache/httpd-2.0/srclib/apr/include
-I/home2/apache20/apache/httpd-2.0/srclib/apr-util/include
-I/usr/local/ssl/include/openssl -I/home2/apache20/apache/httpd-2.0/os/unix
-D_REENTRANT -D_REENTRANT -DNO_DBM_REWRITEMAP -pthread -c
openssl_state_machine.c && touch openssl_state_machine.lo
openssl_state_machine.c:79: openssl/ssl.h: No such file or directory
openssl_state_machine.c:83: openssl/err.h: No such file or directory
make[3]: *** [openssl_state_machine.lo] Error 1
+++
>
> Martin
>
> On Wed, Apr 25, 2001 at 05:26:20PM +0200, Clere Jean-Frederic FSC EP LP COM 5 wrote:
> > Martin Kraemer wrote:
> > >
> > > Do you get build errors in Apache-2.0 too?
> >
> > Now I have enable the TLS module (shared) I have detected some more problems:
> > +++
> > checking for SSL library... checking whether to enable mod_tls... shared
> > configure: error: no - Unable to locate /usr/local/ssl/inc/ssl.h
> > +++
> > We should search for include not inc!.
> >
> > I have try to use /usr/local/ssl/include it also fails:
> > +++
> > /bin/sh /home2/apache20/apache/httpd-2.0/libtool --silent --mode=link gcc -I.
> > -I/home2/apache20/apache/httpd-2.0/
> > -I/home2/apache20/apache/httpd-2.0/server/mpm/threaded
> > -I/home2/apache20/apache/httpd-2.0/modules/http
> > -I/home2/apache20/apache/httpd-2.0/include
> > -I/home2/apache20/apache/httpd-2.0/srclib/apr/include
> > -I/home2/apache20/apache/httpd-2.0/srclib/apr-util/include
> > -I/usr/local/ssl/include/openssl -I/home2/apache20/apache/httpd-2.0/os/unix
> > -D_REENTRANT -D_REENTRANT -DNO_DBM_REWRITEMAP -pthread -export-dynamic
> > -export-dynamic -export-dynamic -export-dynamic -export-dynamic
> > -export-dynamic -o httpd modules.lo modules/http/mod_http.la
> > modules/mappers/mod_so.la server/mpm/threaded/libthreaded.la server/libmain.la
> > os/unix/libos.la srclib/pcre/libpcre.la srclib/apr-util/libaprutil.la
> > srclib/apr/libapr.la
> > /home2/apache20/apache/httpd-2.0/srclib/apr/shmem/unix/mm/libmm.la -lnsl -lnsl
> > -lnsl -lm -lcrypt -lnsl -ldl -L/usr/local/ssl/include -lssl -lcrypto
> > /home2/apache20/apache/httpd-2.0/srclib/apr-util/xml/expat/lib/libexpat.la
> > /usr/i486-suse-linux/bin/ld: cannot find -lssl
> > collect2: ld returned 1 exit status
> > make[1]: *** [httpd] Error 1
> > make[1]: Leaving directory `/home2/apache20/apache/httpd-2.0'
> > make: *** [all-recursive] Error 1
> > +++
> > Adding -L/usr/local/ssl/include to find a library sounds bad!
>
> Yes, as he didn't even use this path for the header files ?!?!
See above!
>
> > > I enabled the TLS module, and
> > > it keeps breaking for a couple of days now in my nightly regression test:
> > >
> > > Making all in tls
> > > /bin/sh /home/com5/martin/pgtm0035/apachen/X/httpd-2.0/libtool --silent --mode=compile gcc -I.
> [...]
> > > +-D_THREAD_SAFE -DNO_DBM_REWRITEMAP -c mod_tls.c && touch mod_tls.lo
> > > mod_tls.c: In function `tls_out_filter':
> > > mod_tls.c:298: too few arguments to function `churn'
> > > mod_tls.c:310: too few arguments to function `churn'
> > > *** Error code 1
> > > Stop in /home/com5/martin/pgtm0035/apachen/X/httpd-2.0/modules/tls.
> > > *** Error code 1
> >
> > Probably easy to fix add &zero where zero is "apr_size_t zero = 0;". Should I
> > try?
>
> I would prefer if the main author would keep it up-to-date.
> I'd say don't waste too much time with it. I heard that Ralf intends to
> offer a ported mod_ssl soon. Let's wait for that.
Agreed, let's wait for the first one!
>
> Still, I wonder if any other httpd-2.0 developer ever really tried to
> actually USE mod_tls.
>
> Martin
> --
> <Ma...@Fujitsu-Siemens.com> | Fujitsu Siemens
> Fon: +49-89-636-46021, FAX: +49-89-636-41143 | 81730 Munich, Germany
Jean-frederic
Re: [martin: Cron CRONJOBS/httpd-2.0-build]
Posted by Martin Kraemer <Ma...@Fujitsu-Siemens.com>.
On Wed, Apr 25, 2001 at 05:28:05PM +0200, Kraemer, Martin wrote:
> It appears that nobody really ever uses (or even compiles) this module.
I am sorry, Ben. I blamed you for breaking your own module, yet I just
re-checked and "cvs diff -r 1.4 -r 1.5 mod_tls.c" shows me who broke
the module. It was an oversight, and the change was never tested, it
did not compile.
My honest apologies, I overreacted.
Martin
--
<Ma...@Fujitsu-Siemens.com> | Fujitsu Siemens
<ma...@apache.org> | 81730 Munich, Germany
Re: [martin: Cron CRONJOBS/httpd-2.0-build]
Posted by Martin Kraemer <Ma...@fujitsu-siemens.com>.
It appears that nobody really ever uses (or even compiles) this module.
Martin
On Wed, Apr 25, 2001 at 05:26:20PM +0200, Clere Jean-Frederic FSC EP LP COM 5 wrote:
> Martin Kraemer wrote:
> >
> > Do you get build errors in Apache-2.0 too?
>
> Now I have enable the TLS module (shared) I have detected some more problems:
> +++
> checking for SSL library... checking whether to enable mod_tls... shared
> configure: error: no - Unable to locate /usr/local/ssl/inc/ssl.h
> +++
> We should search for include not inc!.
>
> I have try to use /usr/local/ssl/include it also fails:
> +++
> /bin/sh /home2/apache20/apache/httpd-2.0/libtool --silent --mode=link gcc -I.
> -I/home2/apache20/apache/httpd-2.0/
> -I/home2/apache20/apache/httpd-2.0/server/mpm/threaded
> -I/home2/apache20/apache/httpd-2.0/modules/http
> -I/home2/apache20/apache/httpd-2.0/include
> -I/home2/apache20/apache/httpd-2.0/srclib/apr/include
> -I/home2/apache20/apache/httpd-2.0/srclib/apr-util/include
> -I/usr/local/ssl/include/openssl -I/home2/apache20/apache/httpd-2.0/os/unix
> -D_REENTRANT -D_REENTRANT -DNO_DBM_REWRITEMAP -pthread -export-dynamic
> -export-dynamic -export-dynamic -export-dynamic -export-dynamic
> -export-dynamic -o httpd modules.lo modules/http/mod_http.la
> modules/mappers/mod_so.la server/mpm/threaded/libthreaded.la server/libmain.la
> os/unix/libos.la srclib/pcre/libpcre.la srclib/apr-util/libaprutil.la
> srclib/apr/libapr.la
> /home2/apache20/apache/httpd-2.0/srclib/apr/shmem/unix/mm/libmm.la -lnsl -lnsl
> -lnsl -lm -lcrypt -lnsl -ldl -L/usr/local/ssl/include -lssl -lcrypto
> /home2/apache20/apache/httpd-2.0/srclib/apr-util/xml/expat/lib/libexpat.la
> /usr/i486-suse-linux/bin/ld: cannot find -lssl
> collect2: ld returned 1 exit status
> make[1]: *** [httpd] Error 1
> make[1]: Leaving directory `/home2/apache20/apache/httpd-2.0'
> make: *** [all-recursive] Error 1
> +++
> Adding -L/usr/local/ssl/include to find a library sounds bad!
Yes, as he didn't even use this path for the header files ?!?!
> > I enabled the TLS module, and
> > it keeps breaking for a couple of days now in my nightly regression test:
> >
> > Making all in tls
> > /bin/sh /home/com5/martin/pgtm0035/apachen/X/httpd-2.0/libtool --silent --mode=compile gcc -I.
[...]
> > +-D_THREAD_SAFE -DNO_DBM_REWRITEMAP -c mod_tls.c && touch mod_tls.lo
> > mod_tls.c: In function `tls_out_filter':
> > mod_tls.c:298: too few arguments to function `churn'
> > mod_tls.c:310: too few arguments to function `churn'
> > *** Error code 1
> > Stop in /home/com5/martin/pgtm0035/apachen/X/httpd-2.0/modules/tls.
> > *** Error code 1
>
> Probably easy to fix add &zero where zero is "apr_size_t zero = 0;". Should I
> try?
I would prefer if the main author would keep it up-to-date.
I'd say don't waste too much time with it. I heard that Ralf intends to
offer a ported mod_ssl soon. Let's wait for that.
Still, I wonder if any other httpd-2.0 developer ever really tried to
actually USE mod_tls.
Martin
--
<Ma...@Fujitsu-Siemens.com> | Fujitsu Siemens
Fon: +49-89-636-46021, FAX: +49-89-636-41143 | 81730 Munich, Germany
Re: SSL stuff
Posted by Ben Laurie <be...@algroup.co.uk>.
Martin Kraemer wrote:
>
> On Wed, Apr 25, 2001 at 10:03:38AM -0700, Greg Stein wrote:
> > >...
> > > I agree that mod_tls isn't an advanced module, but it is a way to remove
> > > some of the politics from the SSL modules in Apache.
> >
> > Bingo. We've got two camps that disagree at a basic level. Fine, they can
> > continue with their rock throwing, and the core Apache will do its own
> > thing independently. The SSL situation will then just disappear since Apache
> > will simply come with a solution.
>
> I disagree completely. Neither is the Apache Group going to get to
> a point where the "political" disagreement becomes any better,
> nor will "Apache simply come with a solution" within the next years.
>
> - the mod_ssl author is not going to add any functionality to mod_tls,
> because he says it is an almost 1:1 copy of a OpenSSL example, which
> is nothing but the OpenSSL version of "Hello World".
> Instead, he will remain in the unlucky situation where he is forced
> to maintain mod_ssl for apache-2.x separately.
mod_tls is merely the module that implements SSL/TLS _as a filter_, and
no more - the criticism makes no sense in that context.
> - The mod_tls author alone will never get it to a point where it is fit
> for professional use. That is certainly my biased opinion, because I
> use mod_ssl.
The mod_tls author wasn't intending to, alone.
> - Current users of mod_ssl will demand professional quality because most of
> them, ehhm, *ARE* using it in professional environment. They will
> therefore not consider mod_tls. (I for one am maintaining the mod_ssl
> enhanced version of Apache for BS2000. I did consider different solutions,
> but they were ususable, in comparison to mod_ssl).
>
> - If both were going to collaborate on the mod_tls-to-be, the situation
> would be different. But it was "politically unwise" not to ask the
> mod_ssl author before the mod_tls author added mod_tls to apache-2.0.
> Now the situation is even worse than when both authors had their
> own patches, because one author has his solution *in* the server
> source tree, and the other author doesn't.
mod_tls is not a solution - it is a small part of one, and a part that
is needed by any complete one.
> - The remaining Apache Group members either never used SSL in the
> first place, or are selling mod_ssl today as a commercial product.
> The former are quite happy to see the R&D version grow from 12kB to
> a professional solution (which will take years if experienced SSL
> developers work on it, and with "experienced" I do not only mean
> "experienced programmers", but also those who have experience with
> making a product _fit_for_market_ like adding good documentation,
> making it easily configurable, robust, flexible, and the like).
> The latter are quite satisfied that they have mod_ssl (under a different
> name) in their drawers, because it means they have an advantage over
> the competition (which still plays with the mod_tls toy).
> Face it: mod_ssl IS the profesional solution, and that is the reason
> why other (already professional) SSL solutions for Apache-1.3 were
> ditched and replaced by mod_ssl (and not by Apache-SSL).
>
> mod_tls looks like the right approach, technically, but why not "add
> mod_tls to mod_ssl", which gives us (and the world) a world-class SSL
> server based on the World-class HTTP server? That could be a basis where
> collaboration would make sense, and other mod_ssl/Apache-SSL users
> could help us iron out any 2.x related things.
>
> But starting from scratch is IMHO not the way to get mod_tls up and
> running within the next 2 years.
I'm going to amaze everyone by agreeing - I don't think there are enough
people interested to make this approach work. Furthermore, I'm also
quite happy to start from a ported mod_ssl as a basis (yes, really). I
would also like to stop supporting Apache-SSL, and I can only do that if
there's decent SSL support that I can work on in Apache. I agree that
mod_ssl is favoured, for whatever reason, and therefore I will now agree
to not oppose its inclusion in Apache.
However, it really should use the filter in mod_tls to do the SSL - that
was actually considerably hard to get right. And there's a bunch of
other stuff that should be done to make SSL support properly modular.
I'm happy to work with Ralf to make that happen, if the result will
belong to the ASF.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
ApacheCon 2001! http://ApacheCon.com/
Re: SSL stuff
Posted by Martin Kraemer <Ma...@Fujitsu-Siemens.com>.
On Fri, Apr 27, 2001 at 09:22:51AM -0400, Jim Jagielski wrote:
> Martin Kraemer wrote:
> >
> > AFAIK Ralf is working on a mod_ssl port to apache-2.0. And I noticed
> > there is already a modules/ssl/ subdirectory present in CVS.
> > Does that mean that Ralf is free to add mod_ssl in parallel to mod_tls,
> > so that apache-2.0 users will have the choice between the "small but
> > sufficient" and the "bigger but professional" SSL solution?
> >
>
> Here's my take on things... First of all, I don't think the
> httpd-2.0 CVS tree should be a place where people "drop"
> code into to "stake a claim". If mod_tls and mod_ssl and mod_whatever
> will be officially folded into and maintained in the CVS tree,
> similar to what's being done with mod_proxy, mod_dav, etc. than
> I'm up for as many implementations included as there are
> people supporting it.
++1. Fully agreed. (In a private talk, I think Ralf got the
impression that his solution was unwanted by the other members.
That is why I wanted to bring this up for discussion).
> I don't think we (the ASF) should take
> any sort of position is which is the better choice, or
> even make editorial statements regarding the various solutions
> though :)
Blush... Sorry, you are right, of course.
Martin
--
<Ma...@Fujitsu-Siemens.com> | Fujitsu Siemens
<ma...@apache.org> | 81730 Munich, Germany
Re: SSL stuff
Posted by Greg Stein <gs...@lyra.org>.
On Fri, Apr 27, 2001 at 09:22:51AM -0400, Jim Jagielski wrote:
>...
> I don't think we (the ASF) should take
> any sort of position is which is the better choice, or
> even make editorial statements regarding the various solutions
> though :)
If it is in our tree, then we damn well better be making an editorial
statement.
Outside our tree (e.g. ApacheSSL vs mod_ssl), then you're absolutely right.
Cheers,
-g
--
Greg Stein, http://www.lyra.org/
Re: SSL stuff
Posted by Martin Kraemer <Ma...@Fujitsu-Siemens.com>.
On Thu, Apr 26, 2001 at 02:59:54PM -0700, Roy T. Fielding wrote:
>
> Well then, we are screwed until some people lose their attitude problem,
> or someone else comes along to replace them. That is nothing new.
Ah. Then I misinterpreted the situation. I thought both would have liked
to have it "their way" but only one solution should be added.
> The only reason the tls solution is in the code base is because one
> of the committers committed something rather than continue to wait until
> the other committers showed some evidence of life. If you or anyone
> else with commit access has a better solution, then commit the better
> solution. I have no more patience left for people who complain about
> the status quo when they know perfectly well how to change it and have
> had permission to do so since the London ApacheCon. I don't care if we
> have five different SSL solutions in the code base, provided they come
> from people willing and able to maintain them.
AFAIK Ralf is working on a mod_ssl port to apache-2.0. And I noticed
there is already a modules/ssl/ subdirectory present in CVS.
Does that mean that Ralf is free to add mod_ssl in parallel to mod_tls,
so that apache-2.0 users will have the choice between the "small but
sufficient" and the "bigger but professional" SSL solution?
Martin
--
<Ma...@Fujitsu-Siemens.com> | Fujitsu Siemens
<ma...@apache.org> | 81730 Munich, Germany
Re: SSL stuff
Posted by "Roy T. Fielding" <fi...@ebuilt.com>.
> I disagree completely. Neither is the Apache Group going to get to
> a point where the "political" disagreement becomes any better,
> nor will "Apache simply come with a solution" within the next years.
Well then, we are screwed until some people lose their attitude problem,
or someone else comes along to replace them. That is nothing new.
The only reason the tls solution is in the code base is because one
of the committers committed something rather than continue to wait until
the other committers showed some evidence of life. If you or anyone
else with commit access has a better solution, then commit the better
solution. I have no more patience left for people who complain about
the status quo when they know perfectly well how to change it and have
had permission to do so since the London ApacheCon. I don't care if we
have five different SSL solutions in the code base, provided they come
from people willing and able to maintain them.
I don't give a rat's ass about this right now because I think my time
is beter focused on making 2.0 a good HTTP server first. When it gets
to that point, I'll start thinking about modules again. Until then,
scratch your own itch.
....Roy
Re: SSL stuff
Posted by Martin Kraemer <Ma...@Fujitsu-Siemens.com>.
On Wed, Apr 25, 2001 at 10:03:38AM -0700, Greg Stein wrote:
> >...
> > I agree that mod_tls isn't an advanced module, but it is a way to remove
> > some of the politics from the SSL modules in Apache.
>
> Bingo. We've got two camps that disagree at a basic level. Fine, they can
> continue with their rock throwing, and the core Apache will do its own
> thing independently. The SSL situation will then just disappear since Apache
> will simply come with a solution.
I disagree completely. Neither is the Apache Group going to get to
a point where the "political" disagreement becomes any better,
nor will "Apache simply come with a solution" within the next years.
- the mod_ssl author is not going to add any functionality to mod_tls,
because he says it is an almost 1:1 copy of a OpenSSL example, which
is nothing but the OpenSSL version of "Hello World".
Instead, he will remain in the unlucky situation where he is forced
to maintain mod_ssl for apache-2.x separately.
- The mod_tls author alone will never get it to a point where it is fit
for professional use. That is certainly my biased opinion, because I
use mod_ssl.
- Current users of mod_ssl will demand professional quality because most of
them, ehhm, *ARE* using it in professional environment. They will
therefore not consider mod_tls. (I for one am maintaining the mod_ssl
enhanced version of Apache for BS2000. I did consider different solutions,
but they were ususable, in comparison to mod_ssl).
- If both were going to collaborate on the mod_tls-to-be, the situation
would be different. But it was "politically unwise" not to ask the
mod_ssl author before the mod_tls author added mod_tls to apache-2.0.
Now the situation is even worse than when both authors had their
own patches, because one author has his solution *in* the server
source tree, and the other author doesn't.
- The remaining Apache Group members either never used SSL in the
first place, or are selling mod_ssl today as a commercial product.
The former are quite happy to see the R&D version grow from 12kB to
a professional solution (which will take years if experienced SSL
developers work on it, and with "experienced" I do not only mean
"experienced programmers", but also those who have experience with
making a product _fit_for_market_ like adding good documentation,
making it easily configurable, robust, flexible, and the like).
The latter are quite satisfied that they have mod_ssl (under a different
name) in their drawers, because it means they have an advantage over
the competition (which still plays with the mod_tls toy).
Face it: mod_ssl IS the profesional solution, and that is the reason
why other (already professional) SSL solutions for Apache-1.3 were
ditched and replaced by mod_ssl (and not by Apache-SSL).
mod_tls looks like the right approach, technically, but why not "add
mod_tls to mod_ssl", which gives us (and the world) a world-class SSL
server based on the World-class HTTP server? That could be a basis where
collaboration would make sense, and other mod_ssl/Apache-SSL users
could help us iron out any 2.x related things.
But starting from scratch is IMHO not the way to get mod_tls up and
running within the next 2 years.
Just my $.02, of course.
Martin
--
<Ma...@Fujitsu-Siemens.com> | Fujitsu Siemens
<ma...@apache.org> | 81730 Munich, Germany
Re: SSL stuff (was: Re: [martin: Cron
CRONJOBS/httpd-2.0-build])
Posted by rb...@covalent.net.
> > I agree that this module has been abandoned, but I would
>
> I disagree that it is "abandoned." We all have time here and there to work
> on things. That means some work time, and some idle time. Who says that
> nobody is working on it? Who says that nobody is ready to step up to the
> plate and work on it? It is premature to call it abandoned.
The only reason I called it abandoned, is that nobody has worked on since
it was first committed. Other than that one point of clarification, I
agree 100% with everything you said.
Ryan
_______________________________________________________________________________
Ryan Bloom rbb@apache.org
406 29th St.
San Francisco, CA 94131
-------------------------------------------------------------------------------
SSL stuff (was: Re: [martin: Cron CRONJOBS/httpd-2.0-build])
Posted by Greg Stein <gs...@lyra.org>.
On Wed, Apr 25, 2001 at 08:34:37AM -0700, rbb@covalent.net wrote:
> On Wed, 25 Apr 2001, Martin Kraemer wrote:
>..
> > If there is no one who actually cares for the mod_tls baby, I propose to
> > delete it entirely and replace it by a REAL solution, based on Ralf's
> > mod_ssl. The current "implemetation" of mod_tls is a a PITA, nothing
> > more than an (abandoned) proof-of-concept IMHO. As it stands, no ISP
> > would even consider to switch to httpd-2.0+mod_tls from apache_1.3.x+mod_ssl.
> >
> > Sorry to be so honest about it, Ben, but that's how I see it.
>
> I honestly believe that mod_tls is a better solution than the 1.3 version
> of mod_ssl.
I can't say that one is better than the other, but I care for it and don't
want to see it go. It is the beginning of what I think is the right approach
for us (in terms of how it deals with the filters).
> I agree that this module has been abandoned, but I would
I disagree that it is "abandoned." We all have time here and there to work
on things. That means some work time, and some idle time. Who says that
nobody is working on it? Who says that nobody is ready to step up to the
plate and work on it? It is premature to call it abandoned.
>...
> I agree that mod_tls isn't an advanced module, but it is a way to remove
> some of the politics from the SSL modules in Apache.
Bingo. We've got two camps that disagree at a basic level. Fine, they can
continue with their rock throwing, and the core Apache will do its own
thing independently. The SSL situation will then just disappear since Apache
will simply come with a solution.
Cheers,
-g
--
Greg Stein, http://www.lyra.org/
Re: [martin: Cron CRONJOBS/httpd-2.0-build]
Posted by "William A. Rowe, Jr." <ad...@rowe-clan.net>.
From: <rb...@covalent.net>
Sent: Wednesday, April 25, 2001 10:34 AM
> On Wed, 25 Apr 2001, Martin Kraemer wrote:
>
> >
> > If there is no one who actually cares for the mod_tls baby, I propose to
> > delete it entirely and replace it by a REAL solution, based on Ralf's
> > mod_ssl. The current "implemetation" of mod_tls is a a PITA, nothing
> > more than an (abandoned) proof-of-concept IMHO. As it stands, no ISP
> > would even consider to switch to httpd-2.0+mod_tls from apache_1.3.x+mod_ssl.
> >
> > Sorry to be so honest about it, Ben, but that's how I see it.
>
> I honestly believe that mod_tls is a better solution than the 1.3 version
> of mod_ssl. I agree that this module has been abandoned, but I would
> prefer to look at why instead of just leaving it abandoned. It is on my
> list to fix the build problems on mod_tls, I just need a few hours to look
> at it.
>
> I agree that mod_tls isn't an advanced module, but it is a way to remove
> some of the politics from the SSL modules in Apache.
More to the point...
mod_rewrite was a nightmare. mod_proxy was a nightmare. mod_include still
remains a nightmare (try throwing bad tags and watch a response of nothing,
including headers, come back.) Very complex blocks of code are unavoidabily
prone to issues.
mod_tls is actually very effective if _all_ you attempt to do is secure the
channel. This is possibly all you want on your palmpilot running apache ;->
We obviously agree we want more functionality, but it's not necessarily a
bad idea to build upon a lightweight flavour. mod_ssl is terrific feature
wise, and I'd love to grow in that direction, but KISS is the difference
between having more mod_rewrite/proxy/include style nightmares.
Bill
Re: [martin: Cron CRONJOBS/httpd-2.0-build]
Posted by Ben Laurie <be...@algroup.co.uk>.
Bill Stoddard wrote:
> Some of us IBM folks are tentatively planning on adapting mod_tls to work with other crypto
> libraries (other than OpenSSL). Getting 2.0 threaded stable is the first priority though.
Since the plan is to keep mod_tls as the basis of all SSL operations
(including proxy client style stuff) this would obviously be a cool way
to handle things.
I'd be interested in participating in any architectural discussions...
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
ApacheCon 2001! http://ApacheCon.com/
Re: [martin: Cron CRONJOBS/httpd-2.0-build]
Posted by Bill Stoddard <bi...@wstoddard.com>.
> On Wed, 25 Apr 2001, Martin Kraemer wrote:
>
<snip>
> >
> > If there is no one who actually cares for the mod_tls baby, I propose to
> > delete it entirely and replace it by a REAL solution, based on Ralf's
> > mod_ssl. The current "implemetation" of mod_tls is a a PITA, nothing
> > more than an (abandoned) proof-of-concept IMHO. As it stands, no ISP
> > would even consider to switch to httpd-2.0+mod_tls from apache_1.3.x+mod_ssl.
> >
> > Sorry to be so honest about it, Ben, but that's how I see it.
>
> I honestly believe that mod_tls is a better solution than the 1.3 version
> of mod_ssl. I agree that this module has been abandoned, but I would
> prefer to look at why instead of just leaving it abandoned. It is on my
> list to fix the build problems on mod_tls, I just need a few hours to look
> at it.
>
> I agree that mod_tls isn't an advanced module, but it is a way to remove
> some of the politics from the SSL modules in Apache.
>
Some of us IBM folks are tentatively planning on adapting mod_tls to work with other crypto
libraries (other than OpenSSL). Getting 2.0 threaded stable is the first priority though.
Bill
Re: [martin: Cron CRONJOBS/httpd-2.0-build]
Posted by rb...@covalent.net.
On Wed, 25 Apr 2001, Martin Kraemer wrote:
> Do you get build errors in Apache-2.0 too? I enabled the TLS module, and
> it keeps breaking for a couple of days now in my nightly regression test:
>
> Making all in tls
> /bin/sh /home/com5/martin/pgtm0035/apachen/X/httpd-2.0/libtool --silent --mode=compile gcc -I.
> +-I/home/com5/martin/pgtm0035/apachen/X/httpd-2.0/modules/tls
> +-I/home/com5/martin/pgtm0035/apachen/X/httpd-2.0/server/mpm/prefork
> +-I/home/com5/martin/pgtm0035/apachen/X/httpd-2.0/modules/http
> +-I/home/com5/martin/pgtm0035/apachen/X/httpd-2.0/include
> +-I/home/com5/martin/pgtm0035/apachen/X/httpd-2.0/srclib/apr/include
> +-I/home/com5/martin/pgtm0035/apachen/X/httpd-2.0/srclib/apr-util/include
> +-I/usr/local/ssl/include/openssl -I/home/com5/martin/pgtm0035/apachen/X/httpd-2.0/modules/dav/main
> +-I/home/com5/martin/pgtm0035/apachen/X/httpd-2.0/os/unix -D_REENTRANT -D_THREAD_SAFE -D_REENTRANT
> +-D_THREAD_SAFE -DNO_DBM_REWRITEMAP -c mod_tls.c && touch mod_tls.lo
> mod_tls.c: In function `tls_out_filter':
> mod_tls.c:298: too few arguments to function `churn'
> mod_tls.c:310: too few arguments to function `churn'
> *** Error code 1
> Stop in /home/com5/martin/pgtm0035/apachen/X/httpd-2.0/modules/tls.
> *** Error code 1
>
> If there is no one who actually cares for the mod_tls baby, I propose to
> delete it entirely and replace it by a REAL solution, based on Ralf's
> mod_ssl. The current "implemetation" of mod_tls is a a PITA, nothing
> more than an (abandoned) proof-of-concept IMHO. As it stands, no ISP
> would even consider to switch to httpd-2.0+mod_tls from apache_1.3.x+mod_ssl.
>
> Sorry to be so honest about it, Ben, but that's how I see it.
I honestly believe that mod_tls is a better solution than the 1.3 version
of mod_ssl. I agree that this module has been abandoned, but I would
prefer to look at why instead of just leaving it abandoned. It is on my
list to fix the build problems on mod_tls, I just need a few hours to look
at it.
I agree that mod_tls isn't an advanced module, but it is a way to remove
some of the politics from the SSL modules in Apache.
Ryan
_______________________________________________________________________________
Ryan Bloom rbb@apache.org
406 29th St.
San Francisco, CA 94131
-------------------------------------------------------------------------------