SSL stuff (was: Re: [martin: Cron CRONJOBS/httpd-2.0-build])

[Greg Stein <gs...@lyra.org>]

On Wed, Apr 25, 2001 at 08:34:37AM -0700, rbb@covalent.net wrote:
> On Wed, 25 Apr 2001, Martin Kraemer wrote:
>..
> > If there is no one who actually cares for the mod_tls baby, I propose to
> > delete it entirely and replace it by a REAL solution, based on Ralf's
> > mod_ssl. The current "implemetation" of mod_tls is a a PITA, nothing
> > more than an (abandoned) proof-of-concept IMHO.  As it stands, no ISP
> > would even consider to switch to httpd-2.0+mod_tls from apache_1.3.x+mod_ssl.
> >
> > Sorry to be so honest about it, Ben, but that's how I see it.
> 
> I honestly believe that mod_tls is a better solution than the 1.3 version
> of mod_ssl.

I can't say that one is better than the other, but I care for it and don't
want to see it go. It is the beginning of what I think is the right approach
for us (in terms of how it deals with the filters).

> I agree that this module has been abandoned, but I would

I disagree that it is "abandoned." We all have time here and there to work
on things. That means some work time, and some idle time. Who says that
nobody is working on it? Who says that nobody is ready to step up to the
plate and work on it? It is premature to call it abandoned.

>...
> I agree that mod_tls isn't an advanced module, but it is a way to remove
> some of the politics from the SSL modules in Apache.

Bingo. We've got two camps that disagree at a basic level. Fine, they can
continue with their rock throwing, and the core Apache will do its own
thing independently. The SSL situation will then just disappear since Apache
will simply come with a solution.

Cheers,
-g

-- 
Greg Stein, http://www.lyra.org/

Re: SSL stuff

[Ben Laurie <be...@algroup.co.uk>]

Martin Kraemer wrote:
> 
> On Wed, Apr 25, 2001 at 10:03:38AM -0700, Greg Stein wrote:
> > >...
> > > I agree that mod_tls isn't an advanced module, but it is a way to remove
> > > some of the politics from the SSL modules in Apache.
> >
> > Bingo. We've got two camps that disagree at a basic level. Fine, they can
> > continue with their rock throwing, and the core Apache will do its own
> > thing independently. The SSL situation will then just disappear since Apache
> > will simply come with a solution.
> 
> I disagree completely. Neither is the Apache Group going to get to
> a point where the "political" disagreement becomes any better,
> nor will "Apache simply come with a solution" within the next years.
> 
> - the mod_ssl author is not going to add any functionality to mod_tls,
>   because he says it is an almost 1:1 copy of a OpenSSL example, which
>   is nothing but the OpenSSL version of "Hello World".
>   Instead, he will remain in the unlucky situation where he is forced
>   to maintain mod_ssl for apache-2.x separately.

mod_tls is merely the module that implements SSL/TLS _as a filter_, and
no more - the criticism makes no sense in that context.

> - The mod_tls author alone will never get it to a point where it is fit
>   for professional use. That is certainly my biased opinion, because I
>   use mod_ssl.

The mod_tls author wasn't intending to, alone.

> - Current users of mod_ssl will demand professional quality because most of
>   them, ehhm, *ARE* using it in professional environment. They will
>   therefore not consider mod_tls. (I for one am maintaining the mod_ssl
>   enhanced version of Apache for BS2000. I did consider different solutions,
>   but they were ususable, in comparison to mod_ssl).
> 
> - If both were going to collaborate on the mod_tls-to-be, the situation
>   would be different. But it was "politically unwise" not to ask the
>   mod_ssl author before the mod_tls author added mod_tls to apache-2.0.
>   Now the situation is even worse than when both authors had their
>   own patches, because one author has his solution *in* the server
>   source tree, and the other author doesn't.

mod_tls is not a solution - it is a small part of one, and a part that
is needed by any complete one.

> - The remaining Apache Group members either never used SSL in the
>   first place, or are selling mod_ssl today as a commercial product.
>   The former are quite happy to see the R&D version grow from 12kB to
>   a professional solution (which will take years if experienced SSL
>   developers work on it, and with "experienced" I do not only mean
>   "experienced programmers", but also those who have experience with
>   making a product _fit_for_market_ like adding good documentation,
>   making it easily configurable, robust, flexible, and the like).
>   The latter are quite satisfied that they have mod_ssl (under a different
>   name) in their drawers, because it means they have an advantage over
>   the competition (which still plays with the mod_tls toy).
>   Face it: mod_ssl IS the profesional solution, and that is the reason
>   why other (already professional) SSL solutions for Apache-1.3 were
>   ditched and replaced by mod_ssl (and not by Apache-SSL).
> 
> mod_tls looks like the right approach, technically, but why not "add
> mod_tls to mod_ssl", which gives us (and the world) a world-class SSL
> server based on the World-class HTTP server? That could be a basis where
> collaboration would make sense, and other mod_ssl/Apache-SSL users
> could help us iron out any 2.x related things.
> 
> But starting from scratch is IMHO not the way to get mod_tls up and
> running within the next 2 years.

I'm going to amaze everyone by agreeing - I don't think there are enough
people interested to make this approach work. Furthermore, I'm also
quite happy to start from a ported mod_ssl as a basis (yes, really). I
would also like to stop supporting Apache-SSL, and I can only do that if
there's decent SSL support that I can work on in Apache. I agree that
mod_ssl is favoured, for whatever reason, and therefore I will now agree
to not oppose its inclusion in Apache.

However, it really should use the filter in mod_tls to do the SSL - that
was actually considerably hard to get right. And there's a bunch of
other stuff that should be done to make SSL support properly modular.

I'm happy to work with Ralf to make that happen, if the result will
belong to the ASF.

Cheers,

Ben.


--
http://www.apache-ssl.org/ben.html

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

ApacheCon 2001! http://ApacheCon.com/

Re: SSL stuff

[Martin Kraemer <Ma...@Fujitsu-Siemens.com>]

On Fri, Apr 27, 2001 at 09:22:51AM -0400, Jim Jagielski wrote:
> Martin Kraemer wrote:
> > 
> > AFAIK Ralf is working on a mod_ssl port to apache-2.0. And I noticed
> > there is already a modules/ssl/ subdirectory present in CVS.
> > Does that mean that Ralf is free to add mod_ssl in parallel to mod_tls,
> > so that apache-2.0 users will have the choice between the "small but
> > sufficient" and the "bigger but professional" SSL solution?
> > 
> 
> Here's my take on things... First of all, I don't think the
> httpd-2.0 CVS tree should be a place where people "drop"
> code into to "stake a claim". If mod_tls and mod_ssl and mod_whatever
> will be officially folded into and maintained in the CVS tree,
> similar to what's being done with mod_proxy, mod_dav, etc. than
> I'm up for as many implementations included as there are
> people supporting it.

++1. Fully agreed. (In a private talk, I think Ralf got the
impression that his solution was unwanted by the other members.
That is why I wanted to bring this up for discussion).

> I don't think we (the ASF) should take
> any sort of position is which is the better choice, or
> even make editorial statements regarding the various solutions
> though :)

Blush... Sorry, you are right, of course.

   Martin
-- 
<Ma...@Fujitsu-Siemens.com>    |       Fujitsu Siemens
       <ma...@apache.org>              |   81730  Munich,  Germany

Re: SSL stuff

[Greg Stein <gs...@lyra.org>]

On Fri, Apr 27, 2001 at 09:22:51AM -0400, Jim Jagielski wrote:
>...
> I don't think we (the ASF) should take
> any sort of position is which is the better choice, or
> even make editorial statements regarding the various solutions
> though :)

If it is in our tree, then we damn well better be making an editorial
statement.

Outside our tree (e.g. ApacheSSL vs mod_ssl), then you're absolutely right.

Cheers,
-g

-- 
Greg Stein, http://www.lyra.org/

Re: SSL stuff

[Martin Kraemer <Ma...@Fujitsu-Siemens.com>]

On Thu, Apr 26, 2001 at 02:59:54PM -0700, Roy T. Fielding wrote:
> 
> Well then, we are screwed until some people lose their attitude problem,
> or someone else comes along to replace them.  That is nothing new.

Ah. Then I misinterpreted the situation. I thought both would have liked
to have it "their way" but only one solution should be added.

> The only reason the tls solution is in the code base is because one
> of the committers committed something rather than continue to wait until
> the other committers showed some evidence of life.  If you or anyone
> else with commit access has a better solution, then commit the better
> solution.  I have no more patience left for people who complain about
> the status quo when they know perfectly well how to change it and have
> had permission to do so since the London ApacheCon.  I don't care if we
> have five different SSL solutions in the code base, provided they come
> from people willing and able to maintain them.

AFAIK Ralf is working on a mod_ssl port to apache-2.0. And I noticed
there is already a modules/ssl/ subdirectory present in CVS.
Does that mean that Ralf is free to add mod_ssl in parallel to mod_tls,
so that apache-2.0 users will have the choice between the "small but
sufficient" and the "bigger but professional" SSL solution?

  Martin
-- 
<Ma...@Fujitsu-Siemens.com>    |       Fujitsu Siemens
       <ma...@apache.org>              |   81730  Munich,  Germany

Re: SSL stuff

["Roy T. Fielding" <fi...@ebuilt.com>]

> I disagree completely. Neither is the Apache Group going to get to
> a point where the "political" disagreement becomes any better,
> nor will "Apache simply come with a solution" within the next years.

Well then, we are screwed until some people lose their attitude problem,
or someone else comes along to replace them.  That is nothing new.

The only reason the tls solution is in the code base is because one
of the committers committed something rather than continue to wait until
the other committers showed some evidence of life.  If you or anyone
else with commit access has a better solution, then commit the better
solution.  I have no more patience left for people who complain about
the status quo when they know perfectly well how to change it and have
had permission to do so since the London ApacheCon.  I don't care if we
have five different SSL solutions in the code base, provided they come
from people willing and able to maintain them.

I don't give a rat's ass about this right now because I think my time
is beter focused on making 2.0 a good HTTP server first.  When it gets
to that point, I'll start thinking about modules again.  Until then,
scratch your own itch.

....Roy

Re: SSL stuff

[Martin Kraemer <Ma...@Fujitsu-Siemens.com>]

On Wed, Apr 25, 2001 at 10:03:38AM -0700, Greg Stein wrote:
> >...
> > I agree that mod_tls isn't an advanced module, but it is a way to remove
> > some of the politics from the SSL modules in Apache.
> 
> Bingo. We've got two camps that disagree at a basic level. Fine, they can
> continue with their rock throwing, and the core Apache will do its own
> thing independently. The SSL situation will then just disappear since Apache
> will simply come with a solution.

I disagree completely. Neither is the Apache Group going to get to
a point where the "political" disagreement becomes any better,
nor will "Apache simply come with a solution" within the next years.

- the mod_ssl author is not going to add any functionality to mod_tls,
  because he says it is an almost 1:1 copy of a OpenSSL example, which
  is nothing but the OpenSSL version of "Hello World".
  Instead, he will remain in the unlucky situation where he is forced
  to maintain mod_ssl for apache-2.x separately.

- The mod_tls author alone will never get it to a point where it is fit
  for professional use. That is certainly my biased opinion, because I
  use mod_ssl.

- Current users of mod_ssl will demand professional quality because most of
  them, ehhm, *ARE* using it in professional environment. They will
  therefore not consider mod_tls. (I for one am maintaining the mod_ssl
  enhanced version of Apache for BS2000. I did consider different solutions,
  but they were ususable, in comparison to mod_ssl).

- If both were going to collaborate on the mod_tls-to-be, the situation
  would be different. But it was "politically unwise" not to ask the
  mod_ssl author before the mod_tls author added mod_tls to apache-2.0.
  Now the situation is even worse than when both authors had their
  own patches, because one author has his solution *in* the server
  source tree, and the other author doesn't.

- The remaining Apache Group members either never used SSL in the
  first place, or are selling mod_ssl today as a commercial product.
  The former are quite happy to see the R&D version grow from 12kB to
  a professional solution (which will take years if experienced SSL
  developers work on it, and with "experienced" I do not only mean
  "experienced programmers", but also those who have experience with
  making a product _fit_for_market_ like adding good documentation,
  making it easily configurable, robust, flexible, and the like).
  The latter are quite satisfied that they have mod_ssl (under a different
  name) in their drawers, because it means they have an advantage over
  the competition (which still plays with the mod_tls toy).
  Face it: mod_ssl IS the profesional solution, and that is the reason
  why other (already professional) SSL solutions for Apache-1.3 were
  ditched and replaced by mod_ssl (and not by Apache-SSL).

mod_tls looks like the right approach, technically, but why not "add
mod_tls to mod_ssl", which gives us (and the world) a world-class SSL
server based on the World-class HTTP server? That could be a basis where
collaboration would make sense, and other mod_ssl/Apache-SSL users
could help us iron out any 2.x related things.

But starting from scratch is IMHO not the way to get mod_tls up and
running within the next 2 years.

Just my $.02, of course.

   Martin
-- 
<Ma...@Fujitsu-Siemens.com>    |       Fujitsu Siemens
       <ma...@apache.org>              |   81730  Munich,  Germany

Re: SSL stuff (was: Re: [martin: Cron CRONJOBS/httpd-2.0-build])

[rb...@covalent.net]

> > I agree that this module has been abandoned, but I would
>
> I disagree that it is "abandoned." We all have time here and there to work
> on things. That means some work time, and some idle time. Who says that
> nobody is working on it? Who says that nobody is ready to step up to the
> plate and work on it? It is premature to call it abandoned.

The only reason I called it abandoned, is that nobody has worked on since
it was first committed.  Other than that one point of clarification, I
agree 100% with everything you said.

Ryan


_______________________________________________________________________________
Ryan Bloom                        	rbb@apache.org
406 29th St.
San Francisco, CA 94131
-------------------------------------------------------------------------------