Tom Donovan wrote: > William A. Rowe, Jr. wrote: >> >> But if mod_deflate doesn't use it, and openssl is built zlib-dynamic, >> they simply pitched compression from ssl sessions as well with no other >> adverse effects. > Yes, exactly. openssl doesn't select gzip compression if zlib-dynamic > and zlib1.dll is missing. >> >> The other aspect, if a zlib1.dll replacement is needed for some critical >> decryption flaw in zlib again, it will be nice not to force users to >> entirely replace openssl or mod_deflate. So I expect we'll leave it >> as-is. >> > I think mod_deflate on Windows links statically (zlib.lib) while openssl > is linked dynamically (zdll.lib). At 40-60kb it's no big deal either > way - but the "security flaw in zlib" argument would seem to apply to > both equally. Both static or both dynamic would be more consistent.
You were right, we weren't linking to zdll.lib for mod_deflate, I'll be fixing that shortly, and working up the two patches to share, one for the APR_NO_FILE tweak, one for the stderr quirk with modperl. Had to push out these binaries first, and also now am struggling very deep inside MSVCR80/OpenSSL/ActiveState Perl on x64 and a host of bugs that some of the perl packages have, assuming they can pack pointers into int's and back out again. Sorry that mess left me distracted from the issues you raised for most of this week. Bill
