Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 97083 invoked from network); 13 Sep 2008 10:59:24 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 13 Sep 2008 10:59:24 -0000 Received: (qmail 51869 invoked by uid 500); 13 Sep 2008 10:59:19 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 51792 invoked by uid 500); 13 Sep 2008 10:59:19 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 51781 invoked by uid 99); 13 Sep 2008 10:59:18 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 13 Sep 2008 03:59:18 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of minfrin@sharp.fm designates 72.32.122.47 as permitted sender) Received: from [72.32.122.47] (HELO chandler.sharp.fm) (72.32.122.47) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 13 Sep 2008 10:58:20 +0000 Received: from chandler.sharp.fm (localhost [127.0.0.1]) by chandler.sharp.fm (Postfix) with ESMTP id A6D05130055 for ; Sat, 13 Sep 2008 05:58:51 -0500 (CDT) Received: from Macintosh.config (87-194-125-15.bethere.co.uk [87.194.125.15]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) (Authenticated sender: minfrin@sharp.fm) by chandler.sharp.fm (Postfix) with ESMTP id 0161EDC00E for ; Sat, 13 Sep 2008 05:58:50 -0500 (CDT) Message-ID: <48CB9CE9.4000209@sharp.fm> Date: Sat, 13 Sep 2008 12:58:49 +0200 From: Graham Leggett User-Agent: Thunderbird 2.0.0.16 (Macintosh/20080707) MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Re: Crypto and initialisation References: <48CAADC1.4080904@sharp.fm> <48CAB79E.4030009@force-elite.com> In-Reply-To: <48CAB79E.4030009@force-elite.com> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms080608060804080200030406" X-Virus-Scanned: ClamAV using ClamSMTP X-Virus-Checked: Checked by ClamAV on apache.org This is a cryptographically signed message in MIME format. --------------ms080608060804080200030406 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Paul Querna wrote: > Then the API is broken. > > OpenSSL and GnuTLS both allow 'double' initialization, as long as they > are also deinitiilzed the same number of times, just like APR does too. > >> What I propose to do to fix this for v2.4 and beyond is write a simple >> module mod_crypto whose job it is to initialise the user's chosen >> crypto(s) at most once, and serve as a parent module to mod_ssl and >> any other crypto module that wants to play. > > Make the API authors fix their APIs, don't add another module. I suspect we are 12 years too late on this particular issue. While the httpd project certainly is well known, I would be pressed to think that Microsoft or NSS will change their long established APIs on our account. If OpenSSL does support double initialisation (this capability isn't mentioned in the OpenSSL API), then the problem is reduced to modules using NSS or CAPI only, which means that the scope of the initialisation module would reduce to modules using the crypto abstraction layer only, and mod_ssl can be left alone. This does sound like a cleaner approach. Regards, Graham -- --------------ms080608060804080200030406 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJNTCC AvUwggJeoAMCAQICEAxljuBYvPVR3WhH6nkbTPowDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UE BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA3MTAxNDEyMzQyMVoX DTA4MTAxMzEyMzQyMVowXTEQMA4GA1UEBBMHTGVnZ2V0dDEPMA0GA1UEKhMGR3JhaGFtMRcw FQYDVQQDEw5HcmFoYW0gTGVnZ2V0dDEfMB0GCSqGSIb3DQEJARYQbWluZnJpbkBzaGFycC5m bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALLUMqDEkhgiT7ePdkErBVE2tND+ 6C8ElWEOaCSdbAlvwUXgKFzIR7zaD6c1CS2czmBslMwEb3LJHPWjgPN497wSERghkeAa+Fyw WqydJr+6WE1G67wHsg67tmGPAxG0Lf6eKpsiyh+u0ojKk4n0mRZ6HQxu6PqZYzJ2vOrT4gYz uVlz4O8TRhHOXGKqclCTxVOfEQMS3AmKDkdkNKJxgkrXSCDZ3mWs1K7yuZ6f0/30Z6AvseTF N7CWPD7uuf5TvaVd5luOYiprUTl+u+0+CHjG4uiug54FZAyID5N7cMJy6iBRHPfLk4cU+Ksi R99WkanPHb9wVQ2F34S+7yGdwqECAwEAAaMtMCswGwYDVR0RBBQwEoEQbWluZnJpbkBzaGFy cC5mbTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBQUAA4GBAB76lZ2i2DDcVPlrcDWPrGIk mcZSoWm/7HLRvws4+jbZ++bczzUruhm1t410Z8oj95sU5pQ83SoGS3RXAn/+TX0cpgNtx4Sw J+Nfhvey2w1TE/NLlN3n7q0m7Bm4j4+zNKXLjFj6B30Ifce8qHw7l69MSVcKoJiyd8EMM4q8 Dm+wMIIC9TCCAl6gAwIBAgIQDGWO4Fi89VHdaEfqeRtM+jANBgkqhkiG9w0BAQUFADBiMQsw CQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoG A1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDcxMDE0MTIz NDIxWhcNMDgxMDEzMTIzNDIxWjBdMRAwDgYDVQQEEwdMZWdnZXR0MQ8wDQYDVQQqEwZHcmFo YW0xFzAVBgNVBAMTDkdyYWhhbSBMZWdnZXR0MR8wHQYJKoZIhvcNAQkBFhBtaW5mcmluQHNo YXJwLmZtMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAstQyoMSSGCJPt492QSsF UTa00P7oLwSVYQ5oJJ1sCW/BReAoXMhHvNoPpzUJLZzOYGyUzARvcskc9aOA83j3vBIRGCGR 4Br4XLBarJ0mv7pYTUbrvAeyDru2YY8DEbQt/p4qmyLKH67SiMqTifSZFnodDG7o+pljMna8 6tPiBjO5WXPg7xNGEc5cYqpyUJPFU58RAxLcCYoOR2Q0onGCStdIINneZazUrvK5np/T/fRn oC+x5MU3sJY8Pu65/lO9pV3mW45iKmtROX677T4IeMbi6K6DngVkDIgPk3twwnLqIFEc98uT hxT4qyJH31aRqc8dv3BVDYXfhL7vIZ3CoQIDAQABoy0wKzAbBgNVHREEFDASgRBtaW5mcmlu QHNoYXJwLmZtMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEFBQADgYEAHvqVnaLYMNxU+Wtw NY+sYiSZxlKhab/sctG/Czj6Ntn75tzPNSu6GbW3jXRnyiP3mxTmlDzdKgZLdFcCf/5NfRym A23HhLAn41+G97LbDVMT80uU3efurSbsGbiPj7M0pcuMWPoHfQh9x7yofDuXr0xJVwqgmLJ3 wQwzirwOb7AwggM/MIICqKADAgECAgENMA0GCSqGSIb3DQEBBQUAMIHRMQswCQYDVQQGEwJa QTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoT EVRoYXd0ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERp dmlzaW9uMSQwIgYDVQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG 9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcNMDMwNzE3MDAwMDAwWhcN MTMwNzE2MjM1OTU5WjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRp bmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3Vp bmcgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMSmPFVzVftOucqZWh5owHUEcJ3f 6f+jHuy9zfVb8hp2vX8MOmHyv1HOAdTlUAow1wJjWiyJFXCO3cnwK4Vaqj9xVsuvPAsH5/Ef kTYkKhPPK9Xzgnc9A74r/rsYPge/QIACZNenprufZdHFKlSFD0gEf6e20TxhBEAeZBlyYLf7 AgMBAAGjgZQwgZEwEgYDVR0TAQH/BAgwBgEB/wIBADBDBgNVHR8EPDA6MDigNqA0hjJodHRw Oi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlUGVyc29uYWxGcmVlbWFpbENBLmNybDALBgNVHQ8E BAMCAQYwKQYDVR0RBCIwIKQeMBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDItMTM4MA0GCSqG SIb3DQEBBQUAA4GBAEiM0VCD6gsuzA2jZqxnD3+vrL7CF6FDlpSdf0whuPg2H6otnzYvwPQc UCCTcDz9reFhYsPZOhl+hLGZGwDFGguCdJ4lUJRix9sncVcljd2pnDmOjCBPZV+V2vf3h9bG CE6u9uo05RAaWzVNd+NWIXiC3CEZNd4ksdMdRv9dX2VPMYIDZDCCA2ACAQEwdjBiMQswCQYD VQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UE AxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEAxljuBYvPVR3WhH6nkb TPowCQYFKw4DAhoFAKCCAcMwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0B CQUxDxcNMDgwOTEzMTA1ODQ5WjAjBgkqhkiG9w0BCQQxFgQU30XlFZnbNRXJfE7N0I1hw+ey VQAwUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZI hvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwgYUGCSsGAQQBgjcQBDF4MHYwYjEL MAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAq BgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAhAMZY7gWLz1Ud1o R+p5G0z6MIGHBgsqhkiG9w0BCRACCzF4oHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRo YXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBG cmVlbWFpbCBJc3N1aW5nIENBAhAMZY7gWLz1Ud1oR+p5G0z6MA0GCSqGSIb3DQEBAQUABIIB AJpdrs8SZZwn/QRz5fPRWz5vrZA/oyWAJJvsicQplAM8IFumz2N+ULDmpZU9bigvGVcjOnf2 6ZWzyqSZfk/iuHFUbtHxR/l7EMg31FgOG177PkeaCqDZpo07OdcB6enk30nGX77ImWnzAyZj xf4OxrWRPBuALYcYrj6opkkUJrEEfH1VqYlRyQvvBM/6notYSyWEiei1uW5igr5IuLdo20pc XQtBnNyjykgSnx5sEi0Qrcuupo8V4iqFPHX0rROXNeWCsgZVpdMDWPAzC5N/waLcYk2lyV8+ tqC1OIACObaeo5flanE4YBRvZIK99EBZTcqX/eOLZyYV4EJ3a/UyDXUAAAAAAAA= --------------ms080608060804080200030406--