httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject 2.2.4 windows binary w/ssl?
Date Wed, 10 Jan 2007 19:57:52 GMT
I'd like to propose we ship apache_2.2.4-win32-x86-openssl-0.9.8d.msi with
this release.  Couple of notes...

Roy has started the details spelled out at http://www.apache.org/dev/crypto.html
and I'm certain he will complete them sometime shortly, here.  That's a red
flag that prevents us from making this available, even on /dev/dist/ for your
evaluation.  Trust that I will first upload the proposed package to /dev/dist/
for feedback before it lands in /dist/httpd/binaries/win32/.

apache_2.2.4-win32-x86-ssl.msi was the anticipated name.  The more I consider
how tightly bound such a distribution is to openssl, and the version bound to
the various security features in the corresponding release of openssl, the
more I think we need an explicit package name.

The zlib package used today is stock 1.2.3 with the /Oy- optimization override,
to ensure we can read the Dr Watson backtrace for a crash report with or w/o
the user deploying .pdb files.  It adds .pdb generation (/Zi linked with the
/debug /opt:ref flags) which adds no overhead to the binary, but creates a
parallel .pdb file.

The openssl package will be built also with /Oy- disable to ensure we can read
backtraces (even more critical given how we hook into the module!) and also
generating .pdb files.  It will be configured no-mdc2 no-rc5 no-idea enable-zlib
against the zlib package I cited above.  (This is not zlib-dynamic!!! That would
be a thread-unsafe choice :)

Almost any stock build using openssl's own ms/ntdll.mak file will work to
replace it, if the user chooses.  Install path, like zlib, is private within
Apache2\bin\ (that's an aspect of how binary search paths work on win32, where
the lib\ directory isn't well suited for loadable libraries.)

Note that the package then includes mod_ssl.so, and ab.exe compiled against
openssl for https: stress measurement.  It also includes openssl.exe for the
generation of keys and certs.

A final question for all, do we wish to install an arbitrary, on the fly self
signed default.crt/default.key?  Do we want to help them fill out the details
or use stock details?  Or do we want them to use openssl.exe to generate one
for themselves?


Mime
View raw message