Hi Bill,
[sorry for not providing complete details]
Here's what the patch does :
- Replace the old APACHE_CHECK_SSL_TOOLKIT method with a re-written one
(Geoff's patch)
This essentially does all the same checks that was being done earlier, but
in a more cleaner fashion (using the autoconf tools like AC_CHECK_HEADER,
AC_CHECK_LIB etc)
- Move the inclusion of openssl headers to ssl_toolkit_compat.h, and change
to include headers of type "openssl/ssl.h" instad of "ssl.h". That is what
is followed by the openssl sources also, and I believe mod_ssl should also
do the same. Also, please refer to PR11310. (Geoff's patch)
- During the configure stage, clearly differentiates between OpenSSL and
SSL-C toolkits. If OpenSSL, do some OpenSSL specific checks, and do SSL-C
specific checks for the SSL-C toolkit (Geoff)
- What I've done is add some SSL-C specific checks (just to avoid any
configure time failures for those using SSL-C) - so that we can put the
right library in the LDFLAGS. Right now, I just added a dummy check (to
check for SSL_CTX_new), and I have a plan to do a more thorough job later
(when I submit the SSL-C patch)
- Regarding the SSL-C version, I've tried using with both 2.1 and 2.3 (I
definitely prefer 2.3). The reason I put 2.1 is to enable all those users
with 2.1 to get mod_ssl to work. If you think it's a waste of time, I'd be
happy to force 2.3 [Does anybody know if SSL-C had security problems in
versions < 2.3. I thought it had, but I'm totally unaware of it]
-Madhu
-----Original Message-----
From: William A. Rowe, Jr. [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 12, 2003 9:03 PM
To: [EMAIL PROTECTED]
Cc: 'Geoff Thorpe'; [EMAIL PROTECTED]; MATHIHALLI,MADHUSUDAN
(HP-Cupertino,ex1)
Subject: RE: [PATCH] openssl configuration (v2)
Madhu, I really like the gist of this patch.
I'm trying to get rolling 2.0.45 out the door, so I haven't had time to
watch your conversation. I have my own toolkit patch for SSL-C 2.3
that probably breaks earlier SSL-C flavors. This is why I haven't had
time to investigate/respond - spending too much time in firefighting mode
:-/
I see no reason, though, to leave the 'old' detection stub lying around.
If you are ready to replace it, axe it. That's what CVS versioning is for.
I'd be happy to offer more insight one we've let 2.0.45 fly, and work in
my own patches. I suppose the obvious question is which SSL-C flavors
do we really expect to support? Only 2.3? 2.3 and 2.1? Further back
with the time machine?
It seems like a waste to spend alot of cycles on old library versions
--- I would personally vote for 2.3 and 2.1 only (most likely to be patched
against modern SSL evils.) (2.2 was effectively 2.1 with some extra
libraries bundled alongside.)
But we cannot quit testing for the SSL_set_state sort of functions (I don't
know if you did or not) because I for one enjoy forcing SSL-C to do what
it should have done in the first place :-) Please don't clobber function
detection in your final patch, please!
Bill
At 08:30 PM 3/12/2003, MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1) wrote:
>Okay.. I've added some little checks to get SSL-C to be recognized. Here's
a
>patch (relative to Geoff's patch) that does some checking.. I've added the
>complete patch as attachment (also). If nobody has any objections, I'd like
>to commit this.
>
>Thanks
>-Madhu
>
>
>
>105,106c107,112
>< + dnl FIXME: we currently don't check anything for SSL-C
>< + AC_MSG_RESULT([OK, but I didn't really check])
>---
>> + AC_TRY_COMPILE([#include <sslc.h>],
>> +[#if !defined(SSLC_VERSION_NUMBER) || SSLC_VERSION_NUMBER < 0x2100
>> +#error "invalid SSL-C version"
>> +#endif],
>> + [AC_MSG_RESULT(OK)],
>> + [AC_MSG_ERROR([SSL-C Versions < 2.1 has not been tested])])
>125,126c131,136
>< + AC_CHECK_LIB(crypto, SSLeay_version, [], [liberrors="yes"])
>< + AC_CHECK_LIB(ssl, SSL_CTX_new, [], [liberrors="yes"])
>---
>> + if test "$ap_ssltk_type" = "openssl"; then
>> + AC_CHECK_LIB(crypto, SSLeay_version, [], [liberrors="yes"])
>> + AC_CHECK_LIB(ssl, SSL_CTX_new, [], [liberrors="yes"])
>> + else
>> + AC_CHECK_LIB(sslc, SSL_CTX_new, [], [liberrors="yes"])
>> + fi
>152,155c162,168
>< + dnl (d) add "-lssl -lcrypto" to LIBS because restoring LIBS after
>< + dnl AC_CHECK_LIB() obliterates any flags AC_CHECK_LIB() added.
>< + APR_ADDTO(LIBS, [-lssl -lcrypto])
>< +
>---
>> + dnl (d) add "-lssl -lcrypto" OR "-lsslc" to LIBS because restoring
LIBS
>> + dnl after AC_CHECK_LIB() obliterates any flags AC_CHECK_LIB() added.
>> + if test "$ap_ssltk_type" = "openssl"; then
>> + APR_ADDTO(LIBS, [-lssl -lcrypto])
>> + else
>> + APR_ADDTO(LIBS, [-lsslc])
>> + fi
>
>
>
>
>
>-----Original Message-----
>From: Geoff Thorpe [mailto:[EMAIL PROTECTED]
>Sent: Wednesday, March 12, 2003 2:38 PM
>To: [EMAIL PROTECTED]
>Cc: Madhusudan Mathihalli
>Subject: Re: [PATCH] openssl configuration (v2)
>
>
>Hi Madhu,
>
>Thanks for giving the latest incarnation a review.
>
>* MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1) ([EMAIL PROTECTED])
>wrote:
>>
>> I tried the patch, and it seemed to work fine for me (and it's more
>cleaner
>> than what we have today).
>>
>> - I don't know how SSL-C will be broken with this patch
>> - Anybody out there using SSL-C ?
>> - I have a patch to get SSL-C to work with mod_ssl.. I'll have to dust it
>> out, before posting the patch.
>
>If it helps move things along I'd be happy to sift through your existing
>patch to see what it does. Although the two patches are unlikely to
>cohabitate, it should be obvious enough from your patch what (if
>anything) needs changing in mine to achieve SSL-C's needs, and I could
>send an updated version with whatever I find? Ball, your court, etc :-)
>
>As for testing SSL-C, can't we just approach Eric or Tim? Or do Covalent
>or any other commecial Apache vendor use SSL-C? These would seem the
>obvious avenues to me, but I don't want to pre-empt whatever
>communications are already going w.r.t. SSL-C support. Just let me know
>if I can help in some way.
>
>> - any objections
>
>Not from me, but then that should come as no surprise ...
>
>Cheers,
>Geoff
>
>--
>Geoff Thorpe
>[EMAIL PROTECTED]
>http://www.geoffthorpe.net/
>
