httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Geoff Thorpe <>
Subject Re: mod_ssl to-do items
Date Fri, 07 Mar 2003 23:08:53 GMT

* John K. Sterling ( wrote:
> As justin said, this is something that has been randomly discussed from
> time to time for many years now.  MANY people see the need for this for
> obvious reasons.
> As for the STATUS file entry, the concrete meaning (from a high level):
> 1) create a pluggable session storage interface (ala perl's tied hash)
> 2) expose it to apache modules
> 3) implement some standard back-ends
> 4) convert the ssl code to use it for session storage.

Yup, makes sense. I'm still wondering if the right way to do this is in
openssl though, because it's a generic problem for SSL/TLS rather than
anything specific to HTTPS (and in theory there is no reason why Apache
shouldn't be able to share a session cache with other SSL/TLS software).

> I have heard of some pluggable c session storage code out there, but to
> add another external project dependency would be lame.  perhaps it could
> get added to apr-util... otherwise mod_ssl would have to compile it in locally.

I don't know if this is/was distcache, but distcache is about half my
interest in this subject (the other half being openssl). I'm waiting to
finish the openssl configuration stuff in http-2.0 before trying to
submit a patch for distcache support - so if modularising might affect
this I could look at it at the same time and perhaps save myself some
effort later on. I think however that the current caching interface is
not a great base to be generalising from (which to be fair is
essentially inherited from the same limiting interface in OpenSSL that
hasn't been substantially touched since SSLeay days).

Is anyone working on this already or ready to do so now? If so please
make contact so we can avoid duplication of effort. If not, I'll start
giving it some thought, although I'll probably ask that I be allowed to
sort out and contribute my distcache hooks into the existing modules/ssl
first. I need to clear a few things off my TODO list before embarking on
investigations of this sort.

One of the issues about modularising session caching is that it would
make a lot of sense to allow caches to be "stacked". This already
happens in some sense with openssl managing a per-process stack and
apache's SSLSessionCache allowing an application cache to be plugged in
on top. That limiting interface I spoke of already causes problems at
this point, because there's no "has_session" type of hook that allows
the inner cache to quickly check with the external cache in case a
locally-cached session has been *cancelled* by the external cache. This
created a vulnerability that was fixed in Apache-2 when I raised the
subject on the modssl-users list, but as far as I know is still lurking
unchanged in mod_ssl/apache-1.3.  The fix of course has no choice but to
shut off the internal cache completely and use the external cache
directly. So this same interface is not going to lead to any clean way
to layer caching mechanisms.

(This is stuff I've been dealing with in distcache BTW, but that's
another spiel for another day).

Thanks for getting back to me about this.


Geoff Thorpe

View raw message