httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brad Nicholes" <>
Subject mod_ssl TLS/SSL upgrade...
Date Fri, 05 Mar 2004 04:08:28 GMT
   I would like to resurrect an old discussion.  About a year and half
ago rbb and wrowe committed a patch for mod_ssl to provide the SSLEngine
upgrade capability.  It seems that one of the reasons for not back
porting it to the 2.0 tree was because there weren't really any clients
that supported it.  Well I know of at least one now which is Novell's
iPrint client and I suspect that there may be others out there.  Does
anyone see any major issues with backporting this functionality to 2.0? 
If not then I would like to propose it for back port and see if we can
get it done.  The attached patch can be applied to the 2.0 branch.  HEAD
already contains all of the patches.  Here
( a
hacked version of wget that is able to test the functionality.  Invoke
wget with the -u parameter to allow it to request the TLS/SSL upgraded


At 11:46 AM 10/15/2002, wrote:
>The second is SSL upgrade.  I have the patches, they haven't been
>committed yet.  I have attached them at the bottom of this message. 
>reason they haven't been committed, is that I don't have a client to
>them with, and I haven't had time to create one.  The responses are
>correct I have checked them in plain text.  The place that bugs most
>likely exist, is the actual upgrade code that does the handshake. 
This is
>an important feature, and I would really like to see it in 2.0.

I see a couple of very important aspects to this patch:

1) we must have an implementation of connection: upgrade for libwww,
   that is the mechanism we use for httpd-test/perl-framework.  I don't
   such a fix, so I'm just asking the community if anyone has explored

2) it has to be maintained.  I've looked at this patch, it appears
quite correct.
   I'm going to begin working on applying it to cvs HEAD.  I'm not
   about it quickly appearing in 2.0 since there are no clients right
now.  I'm
   much more concerned about it's availability once clients can support

3) right now, the ssl code (ssl_engine_io) was already pretty heavily
   The patch wasn't easy to apply.  We are discussing other
refactorings that
   will make SSL much simpler to follow and far less error-prone. 
Those will
   effectively invalidate the effort Ryan has already invested.

My proposed solution is to review the patch and apply it to cvs HEAD. 
Get it
committed.  Of course there are no test suites right now, and there
won't be
for a little while yet.  But once the code exists, it will be simpler
to keep the
SSL upgrade facility maintained, and debug it as the clients become
(most especially, libwww exercises through perl-framework.)

Any disagreement?

The current patch that applies to cvs HEAD is attached.


Brad Nicholes
Senior Software Engineer
Novell, Inc., the leading provider of Net business solutions 

View raw message