You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Guenter Knauf <fu...@apache.org> on 2010/11/29 22:46:05 UTC
mod_ssl ssl_util_stapling.c warnings
Hi Steve,
ssl_util_stapling.c issues warnings / breaks when compiled with OSSL
1.0.0; MSVC warns:
\modules\ssl\ssl_util_stapling.c(140) : warning C4133: '=' :
incompatible types - from 'struct stack_st_OPENSSL_STRING *' to 'struct
stack_st_STRING *'
C:\buildprep\httpd-2.3.x.10\modules\ssl\ssl_util_stapling.c(142) :
warning C4133: 'function' : incompatible types - from 'struct
stack_st_STRING *' to 'struct stack_st *'
C:\buildprep\httpd-2.3.x.10\modules\ssl\ssl_util_stapling.c(148) :
warning C4133: 'function' : incompatible types - from 'struct
stack_st_STRING *' to 'struct stack_st_OPENSSL_STRING *'
and my picky CodeWarrior breaks:
Compiling ssl_util_stapling.c
### mwccnlm Compiler:
# File: ssl_util_stapling.c
# ----------------------------
# 140: aia = X509_get1_ocsp(x);
# Error: ^
# illegal implicit conversion from 'struct stack_st_OPENSSL_STRING *' to
# 'struct stack_st_STRING *'
### mwccnlm Compiler:
# 142: cinf->uri = sk_STRING_pop(aia);
# Error: ^
# illegal implicit conversion from 'struct stack_st_STRING *' to
# 'struct stack_st *'
### mwccnlm Compiler:
# 148: X509_email_free(aia);
# Error: ^
# illegal implicit conversion from 'struct stack_st_STRING *' to
# 'struct stack_st_OPENSSL_STRING *'
Errors caused tool to abort.
I think that we had some similar already in the past, and you suggested
a change which was compatible with both 0.9.8 and 1.0.0 branches, but I
cant recall ...
Or do we need to cleanly solve this with some version-depent defines?
Gün.
Re: mod_ssl ssl_util_stapling.c warnings
Posted by Rob Stradling <ro...@comodo.com>.
On Wednesday 22 December 2010 16:11:21 Dr Stephen Henson wrote:
> On 22/12/2010 15:32, Rob Stradling wrote:
> > On Friday 03 December 2010 10:31:24 Rob Stradling wrote:
> > <snip>
> >
> >> Would it be possible to make OCSP Stapling enabled by default (when the
> >> server certificate contains an OCSP Responder URL in the AIA extension)
> >> instead of disabled by default?
> >> (Perhaps "SSLUseStapling" could be replaced by "SSLDisableStapling")
> >
> > Steve et al,
> >
> > Could you possibly spare a moment to answer this question?
>
> I was seeing if anyone else would comment on this first. It is of course
> technically possible.
>
> The OCSP stapling code requires an additional directive to enable an OCSP
> stapling cache: so this would break existing configuration files if enabled
> by default.
Would it be possible to change the OCSP stapling code so that it will setup
the OCSP stapling cache with some sensible default settings if the
SSLStaplingCache directive is not specified anywhere in the config files?
> More significantly the code hasn't been tested extensively "in the field"
> so there may be problems that have yet to be uncovered.
That's a fair point.
> My personal opinion would be to, at least initially, require an explicit
> directive to enable it and leave the option in future to have it enabled by
> default.
Makes sense. "tested extensively in the field" isn't likely to happen until
httpd 2.4.x is released and significant numbers of sites upgrade. Hopefully
it would be "safe" to enable it by default in a fairly early 2.4.x point
release.
> Anyone else have any thoughts on the matter?
>
> Steve.
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Re: mod_ssl ssl_util_stapling.c warnings
Posted by Dr Stephen Henson <sh...@oss-institute.org>.
On 22/12/2010 15:32, Rob Stradling wrote:
> On Friday 03 December 2010 10:31:24 Rob Stradling wrote:
> <snip>
>> Would it be possible to make OCSP Stapling enabled by default (when the
>> server certificate contains an OCSP Responder URL in the AIA extension)
>> instead of disabled by default?
>> (Perhaps "SSLUseStapling" could be replaced by "SSLDisableStapling")
>
> Steve et al,
>
> Could you possibly spare a moment to answer this question?
>
I was seeing if anyone else would comment on this first. It is of course
technically possible.
The OCSP stapling code requires an additional directive to enable an OCSP
stapling cache: so this would break existing configuration files if enabled by
default.
More significantly the code hasn't been tested extensively "in the field" so
there may be problems that have yet to be uncovered.
My personal opinion would be to, at least initially, require an explicit
directive to enable it and leave the option in future to have it enabled by default.
Anyone else have any thoughts on the matter?
Steve.
--
Dr Stephen N. Henson. Senior Technical/Cryptography Advisor,
Open Source Software Institute: www.oss-institute.org
OpenSSL Core team: www.openssl.org
Re: mod_ssl ssl_util_stapling.c warnings
Posted by Rob Stradling <ro...@comodo.com>.
On Friday 03 December 2010 10:31:24 Rob Stradling wrote:
<snip>
> Would it be possible to make OCSP Stapling enabled by default (when the
> server certificate contains an OCSP Responder URL in the AIA extension)
> instead of disabled by default?
> (Perhaps "SSLUseStapling" could be replaced by "SSLDisableStapling")
Steve et al,
Could you possibly spare a moment to answer this question?
Thanks.
> I just wonder how many webmasters would bother to add "SSLUseStapling on"
> to their config files, even though OCSP Stapling benefits all parties.
>
> I understand that Microsoft IIS 7.x enables OCSP Stapling by default.
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Re: mod_ssl ssl_util_stapling.c warnings
Posted by Guenter Knauf <fu...@apache.org>.
Am 30.11.2010 01:55, schrieb Dr Stephen Henson:
>> See of the patch for bug #50121 resolves this for you.
>
> There's a slightly cleaner way of doing that r1040366 in trunk fixes it for me.
thanks Steve, works fine. I've closed bug #50121.
Gün.
Re: mod_ssl ssl_util_stapling.c warnings
Posted by Rob Stradling <ro...@comodo.com>.
On Tuesday 30 November 2010 00:55:48 Dr Stephen Henson wrote:
> On 30/11/2010 00:03, Dr Stephen Henson wrote:
> > On 29/11/2010 21:46, Guenter Knauf wrote:
<snip>
> >> I think that we had some similar already in the past, and you suggested
> >> a change which was compatible with both 0.9.8 and 1.0.0 branches, but I
> >> cant recall ... Or do we need to cleanly solve this with some
> >> version-depent defines?
> >
> > See of the patch for bug #50121 resolves this for you.
>
> There's a slightly cleaner way of doing that r1040366 in trunk fixes it for
> me.
>
> Steve.
Steve, thanks for cleaning and applying my patch. A quick question, if I
may...
Would it be possible to make OCSP Stapling enabled by default (when the server
certificate contains an OCSP Responder URL in the AIA extension) instead of
disabled by default?
(Perhaps "SSLUseStapling" could be replaced by "SSLDisableStapling")
I just wonder how many webmasters would bother to add "SSLUseStapling on" to
their config files, even though OCSP Stapling benefits all parties.
I understand that Microsoft IIS 7.x enables OCSP Stapling by default.
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Re: mod_ssl ssl_util_stapling.c warnings
Posted by Dr Stephen Henson <sh...@oss-institute.org>.
On 30/11/2010 00:03, Dr Stephen Henson wrote:
> On 29/11/2010 21:46, Guenter Knauf wrote:
>> Hi Steve,
>> ssl_util_stapling.c issues warnings / breaks when compiled with OSSL 1.0.0; MSVC
>> warns:
>> \modules\ssl\ssl_util_stapling.c(140) : warning C4133: '=' : incompatible types
>> - from 'struct stack_st_OPENSSL_STRING *' to 'struct stack_st_STRING *'
>> C:\buildprep\httpd-2.3.x.10\modules\ssl\ssl_util_stapling.c(142) : warning
>> C4133: 'function' : incompatible types - from 'struct stack_st_STRING *' to
>> 'struct stack_st *'
>> C:\buildprep\httpd-2.3.x.10\modules\ssl\ssl_util_stapling.c(148) : warning
>> C4133: 'function' : incompatible types - from 'struct stack_st_STRING *' to
>> 'struct stack_st_OPENSSL_STRING *'
>>
>> and my picky CodeWarrior breaks:
>> Compiling ssl_util_stapling.c
>> ### mwccnlm Compiler:
>> # File: ssl_util_stapling.c
>> # ----------------------------
>> # 140: aia = X509_get1_ocsp(x);
>> # Error: ^
>> # illegal implicit conversion from 'struct stack_st_OPENSSL_STRING *' to
>> # 'struct stack_st_STRING *'
>> ### mwccnlm Compiler:
>> # 142: cinf->uri = sk_STRING_pop(aia);
>> # Error: ^
>> # illegal implicit conversion from 'struct stack_st_STRING *' to
>> # 'struct stack_st *'
>> ### mwccnlm Compiler:
>> # 148: X509_email_free(aia);
>> # Error: ^
>> # illegal implicit conversion from 'struct stack_st_STRING *' to
>> # 'struct stack_st_OPENSSL_STRING *'
>>
>> Errors caused tool to abort.
>>
>> I think that we had some similar already in the past, and you suggested a change
>> which was compatible with both 0.9.8 and 1.0.0 branches, but I cant recall ...
>> Or do we need to cleanly solve this with some version-depent defines?
>>
>
> See of the patch for bug #50121 resolves this for you.
>
There's a slightly cleaner way of doing that r1040366 in trunk fixes it for me.
Steve.
--
Dr Stephen N. Henson. Senior Technical/Cryptography Advisor,
Open Source Software Institute: www.oss-institute.org
OpenSSL Core team: www.openssl.org
Re: mod_ssl ssl_util_stapling.c warnings
Posted by Dr Stephen Henson <sh...@oss-institute.org>.
On 29/11/2010 21:46, Guenter Knauf wrote:
> Hi Steve,
> ssl_util_stapling.c issues warnings / breaks when compiled with OSSL 1.0.0; MSVC
> warns:
> \modules\ssl\ssl_util_stapling.c(140) : warning C4133: '=' : incompatible types
> - from 'struct stack_st_OPENSSL_STRING *' to 'struct stack_st_STRING *'
> C:\buildprep\httpd-2.3.x.10\modules\ssl\ssl_util_stapling.c(142) : warning
> C4133: 'function' : incompatible types - from 'struct stack_st_STRING *' to
> 'struct stack_st *'
> C:\buildprep\httpd-2.3.x.10\modules\ssl\ssl_util_stapling.c(148) : warning
> C4133: 'function' : incompatible types - from 'struct stack_st_STRING *' to
> 'struct stack_st_OPENSSL_STRING *'
>
> and my picky CodeWarrior breaks:
> Compiling ssl_util_stapling.c
> ### mwccnlm Compiler:
> # File: ssl_util_stapling.c
> # ----------------------------
> # 140: aia = X509_get1_ocsp(x);
> # Error: ^
> # illegal implicit conversion from 'struct stack_st_OPENSSL_STRING *' to
> # 'struct stack_st_STRING *'
> ### mwccnlm Compiler:
> # 142: cinf->uri = sk_STRING_pop(aia);
> # Error: ^
> # illegal implicit conversion from 'struct stack_st_STRING *' to
> # 'struct stack_st *'
> ### mwccnlm Compiler:
> # 148: X509_email_free(aia);
> # Error: ^
> # illegal implicit conversion from 'struct stack_st_STRING *' to
> # 'struct stack_st_OPENSSL_STRING *'
>
> Errors caused tool to abort.
>
> I think that we had some similar already in the past, and you suggested a change
> which was compatible with both 0.9.8 and 1.0.0 branches, but I cant recall ...
> Or do we need to cleanly solve this with some version-depent defines?
>
See of the patch for bug #50121 resolves this for you.
Steve.
--
Dr Stephen N. Henson. Senior Technical/Cryptography Advisor,
Open Source Software Institute: www.oss-institute.org
OpenSSL Core team: www.openssl.org