httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <>
Subject Re: Reward SSL and IE
Date Tue, 21 Jun 2005 22:08:46 GMT
At 02:27 PM 6/21/2005, Jeff White wrote:

>Is one's latest web server compiled with
>the Microsoft designed (for any OS)
>Safer CRT libraries?

There's nothing "Safe" about the standard C library or Microsoft's 
library, except how they are used.  Most all necessary behaviors 
(buffer length args to avoid overruns, etc) are now part of all 
modern c  libraries, in a posix compliant flavors.

Sadly, and par for course, Microsoft is disinterested in any
portability.  Therefore relatively trivial conventions become
convoluted as Microsoft pollutes the namespace with their own
proprietary inventions.

In fact the HTTP project believes in certain typical C library
behaviors as much safer than Microsoft's concept of "safety".
For example, dereferencing a NULL pointer is something that can
happen throughout the httpd server code.  In every case, a non-
NULL value is an unexpected fatal condition, and every platform
will fault when that condition occurs.

Is it "better" than wordy error messages and clean failures?
That's left as an exercise to the developer.  But in this team's
opinion, allowing the compiler and library to do exactly what 
they were designed to do, and break upon hitting these exceptions,
ensures that no further processing occurs for broken code.

Since there is no error in processing this request, but it happens
to be a logic error in SSL handshaking, I doubt either fiddler or
ethereal will help any for the casual developer.  Certainly the
'safe' libraries would do little to nothing.


View raw message