httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <>
Subject Re: SSL support
Date Sun, 04 Feb 2001 19:03:02 GMT
Dave Jones wrote:
> In message <Pine.LNX.4.21.0102040727001.12907-100000@koj>,
> writes:
> >> A fallback position would be to replace the bottom (i.e. socket) layer,
> >> but I'd rather avoid that if I can - however, if the answer to the above
> > is "forget it", then I guess I need to know how one does that (I haven't
> > looked, so just kick me if its obvious).
> >
> >One doesn't.  :-)  It should be perfectly possible to create an SSL module
> >that is a filter.
> The current mod_ssl works by simply handing over the socket fd to the OpenSSL
> library and letting it do reads and writes (by way of the BIO_s_fd callbacks)
> as it sees fit.  To make the reads and writes happening inside OpenSSL go to
> bucket streams instead, you have to write a class to replace BIO_s_fd.

That's not actually true - it is possible to drive OpenSSL as a state
machine, which is exactly what I'm doing - there are two demos in the
OpenSSL tree - state_machine (which I wrote) and tunala (which Geoff
Thorpe wrote).

> I think there is a good argument to be made that SSL should be implemented as
> a replacement for the socket layer, that's why it is named Secure Socket
> Layer.

It doesn't _replace_ it, it layers above it, which is why there's a good
argument for implementing it as a filter.




"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

View raw message