httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ralf S. Engelschall" <...@engelschall.com>
Subject Re: cvs commit: httpd-2.0/modules/tls config.m4
Date Sat, 05 May 2001 15:47:01 GMT

In article <3AF3FEBA.F0BBD6EC@algroup.co.uk> you wrote:

> [...]
>> Ben got all the kinks worked out of how to do the basic SSL/TLS stuff within
>> the filter system. Modules such as mod_ssl (and possibly others) are to
>> build on that.
> 
> That's the basic idea, though what its called and how it integrates I
> don't particularly care about. The first obvious candidate for also
> using mod_tls is the proxy - for outbound SSL requests, of course, which
> means mod_tls will need some work doing on it.
> 
> It will also need lots of hooks adding to allow the appropriate
> integration of certificate handling, caching and so forth. This is
> particularly interesting when considered in conjunction with support of
> other crypto libraries (or scarey, depending on how you look at it :-).
> 
> The bottom line is, of course, that it is necessary to have a filter to
> do SSL, but we want one that is sufficiently independent of mod_ssl to
> be useful for other things. I suspect that this means that mod_ssl will
> end up being a bunch of different modules handling various hooks, but we
> shall see what emerges :-)

Yes, finally mod_ssl certainly should end up with a plain SSL layer
(which is what currently is mod_tls plus lots of more hooks) and an
application layer (which is the current mod_ssl without some now
obsolete things).

But keep in mind that we have to do all this step by step. That's
why my first goal is to have mod_ssl working at all inside Apache
2.0 by just taking over the mechanism/code of mod_tls. After mod_ssl
was reduced to a minimum and is working we can axe it even more and
split it into different modules, etc. But providing a full-featured
SSL/TLS integration is a horrible complex task, so we really have to be
very very carefully not to do too much steps at once. Except we want
to require two more years until Apache 2.0 has a full-featured SSL
implementation ;)

So, don't panic. Ben and I will work closely together and try hard to
provide the best and cleanest SSL/TLS solution for Apache 2.0 money
can't buy. But it needs time. And first I've to strip down mod_ssl to
a minimum and make it going at all. After this Ben and I will sit down
and try to add abstraction layers, split code into pieces, etc. But do
not expect all this to happen at once or within a week. I'm sure we need
between 2 and 3 months for all this...

PS: One more "don't panic". Currently I'm hacking wild only inside
    modules/ssl/ and try hard to not touch anything outside related to
    SSL. So, even if you see me trashing anything in mod_ssl over the
    next two weeks, don't think this means anything to the other parts
    of Apache 2.0. But the port of mod_ssl to Apache 2.0 is far away
    from being trivial and hence a lot of woodcutting for mod_ssl is
    required. Especially because I want to fulfill Ben's wish to reduce
    mod_ssl to its essential parts and this way make it easier to hack
    and maintain for the whole group in the future.

Yours,
                                       Ralf S. Engelschall
                                       rse@engelschall.com
                                       www.engelschall.com

Mime
View raw message