Ralf S. Engelschall wrote:
>
> I'll not say anything about comparisons in general, because either people can
> find out the differences theirself or the differences are not actually
> important for them (or they would have found it out). But a few technical
> questions to Ben follow...
>
> On Wed, May 05, 1999, Ben Laurie wrote:
>
> > [...]
> > d) Apache-SSL supports DSOs.
>
> Are you sure, Ben? At least I still cannot image how you support DSO while
> Apache-SSL still uses direct symbol references between the Apache core and the
> apache_ssl module (the big "no-no" for DSO). Either you mean something
> different by DSO ("DSO support" usually means an apache_ssl.so can be built
> and used) or my knowledge of DSO lacks some details.
I mean that any other DSO can be used. Since SSL can be disabled easily,
it isn't a big deal that Apache-SSL itself can't be a DSO. And nor can
mod_ssl in any useful sense of the word: you still have to patch Apache
in the first place.
> > g) The stuff about passphrases is no different to Apache-SSL [..]
>
> That's IMHO not quite correct or I've overlooked some of your recent
> developments, Ben. For instance the pass phrase dialog is reduced to a minimum
> when you use lots of virtual hosts (the pass phrases are reused).
No-one has ever asked me to do this but you are right, it is a
difference.
> And the
> reason for the possibility to spawn an external program is to allow people to
> plug-in smart card applications or similar stuff without patching mod_ssl. It
> doesn't increase security, of course. But that's not the goal of this
> feature...
It reduces security, which is why I don't support it.
> > h) replacing gcache with DBM seems a backward step to me.
>
> You've still not said "why"? Because of the DBM key/value size restrictions?
> Or because of the lower access? The size restriction is actually no real
> problem, because it only means some very large certificate chains cannot be
> cached. The lower access might be an argument, but keep in mind that for
> mod_ssl 2.3.0 I've already written a shared memory based alternative which
> beats both gcache and DBM caches in performance, of course. BTW, the reason
> why I've replaced gcache with a DBM approach was not performance: It was
> stability.
Because DBM is a single-user facility, so it is highly inefficient.
Although gcache was a bit troublesome at first, there is no stability
problem I know of, and I use it for many production systems.
> > Also, I notice that parts of that FAQ were written by me, yet strangely
> > there is no credit [...]
>
> Correct. The reason is that you already get proper credit on more prominent
> locations (even directly on the website welcome page and the README in
> the distribution, etc.) for the _whole_ mod_ssl distribution (where the FAQ is
> only a small part). But when you insist on some extra credit in the
> FAQ-Chapter you can get it, of course. But please stop such indirect attacks,
> Ben. Thanks.
Umm. What kind of attack would you call your FAQ?
> BTW, "the parts of the FAQ" you speak about are actually just two little
> entries: "want to run HTTP and HTTPS on the same machine. Is that
> possible?" and "Why does my browser hang when I connect to my SSL-aware
> Apache server?"....
They caught my eye, is all.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
- Indira Gandhi
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
