httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject RE: [PATCH] openssl configuration (v2)
Date Thu, 13 Mar 2003 05:03:15 GMT
Madhu, I really like the gist of this patch.

I'm trying to get rolling 2.0.45 out the door, so I haven't had time to
watch your conversation.  I have my own toolkit patch for SSL-C 2.3
that probably breaks earlier SSL-C flavors.  This is why I haven't had
time to investigate/respond - spending too much time in firefighting mode :-/

I see no reason, though, to leave the 'old' detection stub lying around.
If you are ready to replace it, axe it.  That's what CVS versioning is for.

I'd be happy to offer more insight one we've let 2.0.45 fly, and work in
my own patches.  I suppose the obvious question is which SSL-C flavors
do we really expect to support?  Only 2.3?  2.3 and 2.1?  Further back
with the time machine?

It seems like a waste to spend alot of cycles on old library versions
--- I would personally vote for 2.3 and 2.1 only (most likely to be patched
against modern SSL evils.)  (2.2 was effectively 2.1 with some extra
libraries bundled alongside.)

But we cannot quit testing for the SSL_set_state sort of functions (I don't
know if you did or not) because I for one enjoy forcing SSL-C to do what
it should have done in the first place :-)  Please don't clobber function
detection in your final patch, please!

Bill


At 08:30 PM 3/12/2003, MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1) wrote:
>Okay.. I've added some little checks to get SSL-C to be recognized. Here's a
>patch (relative to Geoff's patch) that does some checking.. I've added the
>complete patch as attachment (also). If nobody has any objections, I'd like
>to commit this.
>
>Thanks
>-Madhu
>
>
>
>105,106c107,112
>< +    dnl FIXME: we currently don't check anything for SSL-C
>< +    AC_MSG_RESULT([OK, but I didn't really check])
>---
>> +    AC_TRY_COMPILE([#include <sslc.h>],
>> +[#if !defined(SSLC_VERSION_NUMBER) || SSLC_VERSION_NUMBER < 0x2100
>> +#error "invalid SSL-C version"
>> +#endif],
>> +    [AC_MSG_RESULT(OK)],
>> +    [AC_MSG_ERROR([SSL-C Versions < 2.1 has not been tested])])
>125,126c131,136
>< +  AC_CHECK_LIB(crypto, SSLeay_version, [], [liberrors="yes"])
>< +  AC_CHECK_LIB(ssl, SSL_CTX_new, [], [liberrors="yes"])
>---
>> +  if test "$ap_ssltk_type" = "openssl"; then
>> +    AC_CHECK_LIB(crypto, SSLeay_version, [], [liberrors="yes"])
>> +    AC_CHECK_LIB(ssl, SSL_CTX_new, [], [liberrors="yes"])
>> +  else
>> +    AC_CHECK_LIB(sslc, SSL_CTX_new, [], [liberrors="yes"])
>> +  fi
>152,155c162,168
>< +  dnl (d) add "-lssl -lcrypto" to LIBS because restoring LIBS after
>< +  dnl AC_CHECK_LIB() obliterates any flags AC_CHECK_LIB() added.
>< +  APR_ADDTO(LIBS, [-lssl -lcrypto])
>< +
>---
>> +  dnl (d) add "-lssl -lcrypto" OR "-lsslc" to LIBS because restoring LIBS
>> +  dnl after AC_CHECK_LIB() obliterates any flags AC_CHECK_LIB() added.
>> +  if test "$ap_ssltk_type" = "openssl"; then
>> +    APR_ADDTO(LIBS, [-lssl -lcrypto])
>> +  else
>> +    APR_ADDTO(LIBS, [-lsslc])
>> +  fi
>
>
>
>
>
>-----Original Message-----
>From: Geoff Thorpe [mailto:geoff@geoffthorpe.net]
>Sent: Wednesday, March 12, 2003 2:38 PM
>To: dev@httpd.apache.org
>Cc: Madhusudan Mathihalli
>Subject: Re: [PATCH] openssl configuration (v2)
>
>
>Hi Madhu,
>
>Thanks for giving the latest incarnation a review.
>
>* MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1) (madhusudan_mathihalli@hp.com)
>wrote:
>> 
>> I tried the patch, and it seemed to work fine for me (and it's more
>cleaner
>> than what we have today).
>> 
>> - I don't know how SSL-C will be broken with this patch
>> - Anybody out there using SSL-C ?
>> - I have a patch to get SSL-C to work with mod_ssl.. I'll have to dust it
>> out, before posting the patch.
>
>If it helps move things along I'd be happy to sift through your existing
>patch to see what it does. Although the two patches are unlikely to
>cohabitate, it should be obvious enough from your patch what (if
>anything) needs changing in mine to achieve SSL-C's needs, and I could
>send an updated version with whatever I find? Ball, your court, etc :-)
>
>As for testing SSL-C, can't we just approach Eric or Tim? Or do Covalent
>or any other commecial Apache vendor use SSL-C? These would seem the
>obvious avenues to me, but I don't want to pre-empt whatever
>communications are already going w.r.t. SSL-C support. Just let me know
>if I can help in some way.
>
>> - any objections
>
>Not from me, but then that should come as no surprise ...
>
>Cheers,
>Geoff
>
>-- 
>Geoff Thorpe
>geoff@geoffthorpe.net
>http://www.geoffthorpe.net/
>



Mime
View raw message