From dev-return-47871-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org Tue Jul 05 12:33:07 2005 Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 48585 invoked from network); 5 Jul 2005 12:33:06 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 5 Jul 2005 12:33:06 -0000 Received: (qmail 60482 invoked by uid 500); 5 Jul 2005 12:32:57 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 60437 invoked by uid 500); 5 Jul 2005 12:32:56 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 60424 invoked by uid 99); 5 Jul 2005 12:32:56 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 05 Jul 2005 05:32:55 -0700 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: local policy) Received: from [212.12.33.142] (HELO smile.2scale.net) (212.12.33.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 05 Jul 2005 05:32:55 -0700 Received: from gvz by smile.2scale.net with local (Exim 4.51) id 1DpmbY-00074a-CQ; Tue, 05 Jul 2005 14:32:48 +0200 Date: Tue, 5 Jul 2005 14:32:48 +0200 From: "Georg v. Zezschwitz" To: dev@httpd.apache.org Subject: Patch for 2.0.54 + OpenSSL 0.9.8 Message-ID: <20050705123248.GE23007@2scale.net> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="BXVAT5kNtrzKuDFl" Content-Disposition: inline User-Agent: Mutt/1.5.6+20040722i X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N --BXVAT5kNtrzKuDFl Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi, the OpenSSL team will pretty soon release 0.9.8 as stable release. However, currently 2.0.54 cannot be built with 0.9.8beta6, as a pem.h-definition has changed. The OpenSSL-team considers this renaming as a bug correction, so compilation of mod_ssl will go on to fail. OpenSSL 0.9.8 will introduce SSL compression (which has in principle been defined since SSLv3, however, concrete compression methods like DEFLATE were "RFCed" in May 2004). I have attached a patch to make mod_ssl compile with OpenSSL 0.9.8, and also added an SSL variable "SSL_COMP_METHOD" to allow logging (and other usages) of the negotiated compression method. Moreover, I have - to my best knowledge - extended the documentation. Could anybody check this and decide if to include? I guess quite some confusion will happen if OpenSSL 0.9.8 is finally out and using it with Apache 2.0.54 fails. Also, please don't kill the messenger :-) - it is not my decision to change the OpenSSL include file definition... Regards, Georg v.Zezschwitz --BXVAT5kNtrzKuDFl Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="httpd-2.0.54-ssl0.9.8.patch" diff -cr httpd-2.0.54.orig/docs/manual/mod/mod_ssl.xml httpd-2.0.54/docs/manual/mod/mod_ssl.xml *** httpd-2.0.54.orig/docs/manual/mod/mod_ssl.xml Fri Feb 4 21:21:18 2005 --- httpd-2.0.54/docs/manual/mod/mod_ssl.xml Tue Jul 5 11:53:55 2005 *************** *** 65,70 **** --- 65,71 ---- SSL_CIPHER_EXPORT string true if cipher is an export cipher SSL_CIPHER_USEKEYSIZE number Number of cipher bits (actually used) SSL_CIPHER_ALGKEYSIZE number Number of cipher bits (possible) + SSL_COMP_METHOD string SSL compression method negotiated SSL_VERSION_INTERFACE string The mod_ssl program version SSL_VERSION_LIBRARY string The OpenSSL program version SSL_CLIENT_M_VERSION string The version of the client certificate diff -cr httpd-2.0.54.orig/docs/manual/ssl/ssl_faq.xml httpd-2.0.54/docs/manual/ssl/ssl_faq.xml *** httpd-2.0.54.orig/docs/manual/ssl/ssl_faq.xml Fri Feb 4 21:21:18 2005 --- httpd-2.0.54/docs/manual/ssl/ssl_faq.xml Tue Jul 5 12:14:15 2005 *************** *** 680,685 **** --- 680,686 ----
  • HTTPS and name-based vhosts
  • Why is it not possible to use Name-Based Virtual Hosting to identify different SSL virtual hosts?
    • +
  • How do I get SSL compression working?
  • The lock icon in Netscape locks very late
  • Why do I get I/O errors with MSIE clients?
  • Why do I get I/O errors with NS clients?
    • *************** *** 804,809 **** --- 805,827 ---- Use different port numbers for different SSL hosts.

    +
    How do I get SSL compression working? +

    Although SSL compression negotiation was already defined in the specification + of SSLv2 and TLS, it took until May 2004 when RFC 3749 defined DEFLATE as + a negotiable standard compression method. +

    +

    OpenSSL 0.9.8 started to support this by default when compiled with the + zlib option. If both the client and the server support compression, + it will be used. However, most clients still try to initially connect with an + SSLv2 Hello. As SSLv2 did not include an array of prefered compression algorithms + in its handshake, compression can not be negotiated with these clients. + If the client disables support for SSLv2, based on the used SSL library + a SSLv3 or TLS Hello might be sent and compression might be set up. + You can check if clients make use of SSL compression by logging the + variable SSL_COMP_METHOD. +

    +
    +
    When I use Basic Authentication over HTTPS the lock icon in Netscape browsers still shows the unlocked state when the dialog pops up. Does this mean the username/password is still transmitted unencrypted? diff -cr httpd-2.0.54.orig/modules/ssl/ssl_engine_vars.c httpd-2.0.54/modules/ssl/ssl_engine_vars.c *** httpd-2.0.54.orig/modules/ssl/ssl_engine_vars.c Fri Feb 4 21:21:18 2005 --- httpd-2.0.54/modules/ssl/ssl_engine_vars.c Tue Jul 5 10:51:40 2005 *************** *** 47,52 **** --- 47,53 ---- static char *ssl_var_lookup_ssl_cipher(apr_pool_t *p, conn_rec *c, char *var); static void ssl_var_lookup_ssl_cipher_bits(SSL *ssl, int *usekeysize, int *algkeysize); static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var); + static char *ssl_var_lookup_ssl_comp_method(SSL *ssl); static int ssl_is_https(conn_rec *c) { *************** *** 282,287 **** --- 283,291 ---- if ((xs = SSL_get_certificate(ssl)) != NULL) result = ssl_var_lookup_ssl_cert(p, xs, var+7); } + else if (ssl != NULL && strlen(var) >= 11 && strcEQn(var, "COMP_METHOD", 7)) { + result = ssl_var_lookup_ssl_comp_method(ssl); + } return result; } *************** *** 594,599 **** --- 598,636 ---- } return result; } + + static char *ssl_var_lookup_ssl_comp_method(SSL *ssl) + { + char *result = "NULL"; + #ifdef OPENSSL_VERSION_NUMBER + #if (OPENSSL_VERSION_NUMBER >= 0x00908000) + SSL_SESSION *pSession = SSL_get_session(ssl); + + if (pSession) { + switch (pSession->compress_meth) { + case 0: + /* default "NULL" already set */ + break; + + /* Defined by RFC 3749, deflate is coded by "1" */ + case 1: + result = "DEFLATE"; + break; + + /* IANA assigned compression number for LZS */ + case 0x40: + result = "LZS"; + break; + + default: + result = "UNKNOWN"; + break; + } + } + #endif + #endif + return result; + } /* _________________________________________________________________ ** diff -cr httpd-2.0.54.orig/modules/ssl/ssl_toolkit_compat.h httpd-2.0.54/modules/ssl/ssl_toolkit_compat.h *** httpd-2.0.54.orig/modules/ssl/ssl_toolkit_compat.h Fri Feb 4 21:21:18 2005 --- httpd-2.0.54/modules/ssl/ssl_toolkit_compat.h Tue Jul 5 11:33:33 2005 *************** *** 99,104 **** --- 99,111 ---- #define HAVE_SSL_X509V3_EXT_d2i #endif + #ifndef PEM_F_DEF_CALLBACK + #ifdef PEM_F_PEM_DEF_CALLBACK + /* In OpenSSL 0.9.8 PEM_F_DEF_CALLBACK was renamed */ + #define PEM_F_DEF_CALLBACK PEM_F_PEM_DEF_CALLBACK + #endif + #endif + #elif defined (SSLC_VERSION_NUMBER) /* RSA */ /* sslc does not support this function, OpenSSL has since 9.5.1 */ --BXVAT5kNtrzKuDFl--