httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Geoff Thorpe <ge...@geoffthorpe.net>
Subject Re: [PATCH] openssl configuration
Date Fri, 28 Feb 2003 16:14:18 GMT
Hi Madhu,

* MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1) (madhusudan_mathihalli@hp.com) wrote:
> 
> I agree that the current check is out-of-place, and it has to be changed. 
> But, your proposal of error'ing out based on version number is what
> concerned me. Think of ppl. who've patched their sources with the fixes ?.
> You don't want to be rejecting the toolkit based on the version number
> available in the header file. I got a lot of push-back (locally also) for
> proposing something like that. But, having said that, I don't know of a
> better method of informing the users.

It seems the only commentary I'm getting is this same thing so it has
the feel of consensus to me. Can I have suggestions please for two
version thresholds - one to be considered a minimum below which
configure should fail, and another which should be considered a
recommendation below which configure should emit warning text. The
existing configure.in (IIRC) errors out below 0.9.6e, in case that's
useful as a guide.

> >It would perhaps make sense to provide a "--force-ssl-ver" type of
> >option that would bypass version checks, and then have any version
> >checking failure text point out the existence of "--force-ssl-ver".
> [SNIP]
> 
> I like that.. If ppl. don't care what version of openssl they use, force
> them to move to the latest.. For others, they can always use the
> --force-ssl-ver flag. Does anybody else have comments ?.

Thom did, and if your previous efforts met with resistance that would
probably suggest there'll be others too. Perhaps the sense needs to be
reversed such than a "--strict-ssl-ver" flag can be used to force strict
version checking, otherwise a "softer" approach is taken by default. I
don't particularly care, I'd just like to get it to an acceptable level
so that the existing stuff can be replaced. The version check is not my
focus at all.

> [SNIP]
> >Erm, like what? The only candidate I can think of would be the RSA-C
> >toolkit? ...
> >The complexity doesn't seem worth the trouble to me.
> 
> Well, I actually went through the whole process of trying to get apache +
> mod_ssl working with RSA toolkit :) [I just haven't been able to put it
> to-gether and submit a patch].
> Although I realize that lots of ppl. are moving towards OpenSSL, I believe
> there are ppl out there who'd like to have a alternative to the OpenSSL kit.
> Think about having better SSL performance, the RSA toolkit performs better
> than OpenSSL toolkit [no bad feelings].. By introducing openssl specific
> stuff, we'd be making it more difficult to use mod_ssl (+ Apache) with any
> other kits. BUT, if ppl on the httpd-community think different, I have no
> problems to make mod_ssl be more OpenSSL friendly..
> 
> 
> >To support other SSL toolkits, the more sensible approach would be to
> >introduce alternative autoconf checks that are tailored to those
> >toolkits. 
> [SNIP]
> 
> I find it easier to use the same options for both OpenSSL and RSA.. The
> autoconf can verify the existance of RSA specific header files, and realize
> that it's a RSA toolkit and not OpenSSL. But again, this is my personal
> opinion here.. I don't know what's the best option - any suggestions ?.

That's an option too, but either way I think the processing should fork
early on depending on the nature of the toolkit it finds. Ie. the
obvious trick to start with would be, inside the --with-ssl=<dir>
processing, to do something like;
  if test -d $ap_ssltk_base/include/openssl
    [process openssl checks, -D.. defines,  and INCLUDE/LIBS/LDFLAGS
    configuration]
  elif test <some condition that identifies SSL-C> then
    [processing SSL-C]
  elif [etc]
  else
    AC_MSG_ERROR(What the hell does <dir> point to?)
  fi

I still maintain my view that attempting to having one generic set of
tests and setups for OpenSSL, SSL-C, and anything else that implements
enough of a compatibility layer to get close to supporting modules/ssl/,
would be too loose-fitting and vulnerable to ongoing divergence.

> >Likewise, the includes in mod_ssl.h should be
> >#ifdef,#elif,#endif'd so that you get precisely the headers you need for
> >precisely the toolkit you are using (and using precisely the header
> >paths defined in the respective API).
> 
> It's being done in the sources today (in ssl_toolkit_compat.h)

Ah, well then it's easier than I thought (I hadn't noticed
ssl_toolkit_compat.h). The OpenSSL includes should go in there because
that's precisely the place this sort of distinction can be handled.
Ie. in the "#ifdef OPENSSL_VERSION_NUMBER" section, we should include
those headers that OpenSSL itself should include to avoid all warnings,
support all available extensions, and use the correct "openssl/" path
prefix (this is not just aesthetics, it's *important* if the openssl
headers are installed and used from system-wide locations so that no
include munging is wanted or desired). Likewise, the SSL-C versions
could occur in that section of the header, and any divergence (other
than the path) between openssl and SSL-C will be handled there.

I can rejig my patch for this if there's agreement with the approach. I
assume the includes required for SSL-C match those that are in the
current mod_ssl.h?

> I don't know how many others have tried to do this, but based on my
> experience, most of the changes went into a header file.. There were very
> little modifications required to the .c files. However, I do echo your
> concern regarding how long will it be, before the two go in different ways.
> It might become more difficult to maintain one code base for supporting both
> the toolkits.

Well the approach in ssl_toolkit_compat.h looks good, I wish I'd spotted
it before (it shouldn't surprise you that I was more used to looking at
mod_ssl/apache-1.3 source so didn't expect to find that). As long as
compatiblity can be maintained merely by pre-compiler tricks and stub
functions/macros, then why not? I think the error is in trying to do
this transparently by trying to keep configure checks and source code
confined to areas of commonality between different toolkits. Those areas
will continue to shrink :-)

Cheers,
Geoff

-- 
Geoff Thorpe
geoff@geoffthorpe.net
http://www.geoffthorpe.net/


Mime
View raw message