Re: [PATCH] SSLv3 support for HTTP servers (admin and smsbox) using openssl

Fri, 12 Oct 2001 00:54:50 -0700 


> configure.in:
> 
> -              LIBS="$LIBS -lssl",
> -              echo no;echo Either get a multithread-enabled SSL or configure with 
>--disable-ssl;
> -              exit 1,
> +              LIBS="$LIBS -lssl -lcrypto",
> +             echo no;AC_DEFINE(HAVE_LIBSSL)
> +              LIBS="$LIBS -lssl -lcrypto";echo "WARNING: OpenSSL is not 
>multithread-enabled!",
> 
> It really makes no sense to use non-threaded OpenSSL. It leads to random crashes.
> And users are prone to ignoring these kinds of warnings, then coming to the list
> whining about those random crashes. I think this was discussed earlier when I
> made my client side implementation?

I know, but we would like to keep the support for the Cygwin platform
and there we currently run openssl un-threaded. 

I don't like to force users to hack in the configure.in (or even
configure in worst case) to get a runable system out of it.

> conn.c:
> 
> +void server_ssl_init(void)
> 
> conn.h:
> 
> +void server_init_ssl(void);
> 
> This must be a typo.
> 
> Is there a need for different certificates and SSL contexts for clients and servers?

This depends on the user. Some may need different instances for server
and client side. This way the user can decide on it's own if he/she
wants them to match in the config file. 

Otherwise you would be to restrictive in my opinion if you would use
only one for both sides. Comments from the others?

> smsbox.c:
> 
> +
> +#ifdef HAVE_LIBSSL
> +    cfg_get_bool(&ssl, grp, octstr_imm("admin-port-ssl"));
> 
> +#ifdef HAVE_LIBSSL
> +    cfg_get_bool(&ssl, grp, octstr_imm("sendsms-port-ssl"));
> +#endif /* HAVE_LIBSSL */
> +
> 
> I think we should actually read this config variable even though we haven't
> compiled SSL in and warn the user if they're trying to use SSL.

right! -- I'll do change that.

> +    } else if (ssl) {
> +          panic(0, "You MUST specify cert and key files within core group for 
>SSL!");
> +    }
> 
> Is this really cause for panic?

If you want SSL support for the HTTP server, but there is no cert and
key file specified?? Hmm, I think so, yes.


Stipe

[EMAIL PROTECTED]
-------------------------------------------------------------------
Wapme Systems AG

Münsterstr. 248
40470 Düsseldorf

Tel: +49-211-74845-0
Fax: +49-211-74845-299

E-Mail: [EMAIL PROTECTED]
Internet: http://www.wapme-systems.de
-------------------------------------------------------------------
wapme.net - wherever you are

Reply via email to