httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1)" <madhusudan_mathiha...@hp.com>
Subject RE: [PATCH] openssl configuration
Date Thu, 27 Feb 2003 23:31:12 GMT
>-----Original Message-----
>From: Geoff Thorpe [mailto:geoff@geoffthorpe.net]

[SNIP]
>The current version checks are
>implemented in a cock-eyed fashion and are also out of date (0.9.6e used
>to be a meaningful cut-off point, but that has changed more recently).

I agree that the current check is out-of-place, and it has to be changed. 
But, your proposal of error'ing out based on version number is what
concerned me. Think of ppl. who've patched their sources with the fixes ?.
You don't want to be rejecting the toolkit based on the version number
available in the header file. I got a lot of push-back (locally also) for
proposing something like that. But, having said that, I don't know of a
better method of informing the users.


>It would perhaps make sense to provide a "--force-ssl-ver" type of
>option that would bypass version checks, and then have any version
>checking failure text point out the existence of "--force-ssl-ver".
[SNIP]

I like that.. If ppl. don't care what version of openssl they use, force
them to move to the latest.. For others, they can always use the
--force-ssl-ver flag. Does anybody else have comments ?.


[SNIP]
>Erm, like what? The only candidate I can think of would be the RSA-C
>toolkit? ...
>The complexity doesn't seem worth the trouble to me.

Well, I actually went through the whole process of trying to get apache +
mod_ssl working with RSA toolkit :) [I just haven't been able to put it
to-gether and submit a patch].
Although I realize that lots of ppl. are moving towards OpenSSL, I believe
there are ppl out there who'd like to have a alternative to the OpenSSL kit.
Think about having better SSL performance, the RSA toolkit performs better
than OpenSSL toolkit [no bad feelings].. By introducing openssl specific
stuff, we'd be making it more difficult to use mod_ssl (+ Apache) with any
other kits. BUT, if ppl on the httpd-community think different, I have no
problems to make mod_ssl be more OpenSSL friendly..


>To support other SSL toolkits, the more sensible approach would be to
>introduce alternative autoconf checks that are tailored to those
>toolkits. 
[SNIP]

I find it easier to use the same options for both OpenSSL and RSA.. The
autoconf can verify the existance of RSA specific header files, and realize
that it's a RSA toolkit and not OpenSSL. But again, this is my personal
opinion here.. I don't know what's the best option - any suggestions ?.


>Likewise, the includes in mod_ssl.h should be
>#ifdef,#elif,#endif'd so that you get precisely the headers you need for
>precisely the toolkit you are using (and using precisely the header
>paths defined in the respective API).

It's being done in the sources today (in ssl_toolkit_compat.h)


>The more things go, the more
>OpenSSL and RSA-C are likely to diverge - I strongly suspect they've
>already diverged too far for the code in its current form, but perhaps
>I'm mistaken there. If the only issue right now between the two is what
>prefix we do or don't add to the include paths, then that should be
>considered extremely good fortune. Sooner or later though, we'd end up
>needing to separating things with precompiler logic to handle
>differences between toolkits, syntax, symbol definitions, enhancements,
>optional extras, etc. 


I don't know how many others have tried to do this, but based on my
experience, most of the changes went into a header file.. There were very
little modifications required to the .c files. However, I do echo your
concern regarding how long will it be, before the two go in different ways.
It might become more difficult to maintain one code base for supporting both
the toolkits.

-Madhu

Mime
View raw message