Martin Kraemer wrote:
>
> On Wed, Apr 25, 2001 at 10:03:38AM -0700, Greg Stein wrote:
> > >...
> > > I agree that mod_tls isn't an advanced module, but it is a way to remove
> > > some of the politics from the SSL modules in Apache.
> >
> > Bingo. We've got two camps that disagree at a basic level. Fine, they can
> > continue with their rock throwing, and the core Apache will do its own
> > thing independently. The SSL situation will then just disappear since Apache
> > will simply come with a solution.
>
> I disagree completely. Neither is the Apache Group going to get to
> a point where the "political" disagreement becomes any better,
> nor will "Apache simply come with a solution" within the next years.
>
> - the mod_ssl author is not going to add any functionality to mod_tls,
> because he says it is an almost 1:1 copy of a OpenSSL example, which
> is nothing but the OpenSSL version of "Hello World".
> Instead, he will remain in the unlucky situation where he is forced
> to maintain mod_ssl for apache-2.x separately.
mod_tls is merely the module that implements SSL/TLS _as a filter_, and
no more - the criticism makes no sense in that context.
> - The mod_tls author alone will never get it to a point where it is fit
> for professional use. That is certainly my biased opinion, because I
> use mod_ssl.
The mod_tls author wasn't intending to, alone.
> - Current users of mod_ssl will demand professional quality because most of
> them, ehhm, *ARE* using it in professional environment. They will
> therefore not consider mod_tls. (I for one am maintaining the mod_ssl
> enhanced version of Apache for BS2000. I did consider different solutions,
> but they were ususable, in comparison to mod_ssl).
>
> - If both were going to collaborate on the mod_tls-to-be, the situation
> would be different. But it was "politically unwise" not to ask the
> mod_ssl author before the mod_tls author added mod_tls to apache-2.0.
> Now the situation is even worse than when both authors had their
> own patches, because one author has his solution *in* the server
> source tree, and the other author doesn't.
mod_tls is not a solution - it is a small part of one, and a part that
is needed by any complete one.
> - The remaining Apache Group members either never used SSL in the
> first place, or are selling mod_ssl today as a commercial product.
> The former are quite happy to see the R&D version grow from 12kB to
> a professional solution (which will take years if experienced SSL
> developers work on it, and with "experienced" I do not only mean
> "experienced programmers", but also those who have experience with
> making a product _fit_for_market_ like adding good documentation,
> making it easily configurable, robust, flexible, and the like).
> The latter are quite satisfied that they have mod_ssl (under a different
> name) in their drawers, because it means they have an advantage over
> the competition (which still plays with the mod_tls toy).
> Face it: mod_ssl IS the profesional solution, and that is the reason
> why other (already professional) SSL solutions for Apache-1.3 were
> ditched and replaced by mod_ssl (and not by Apache-SSL).
>
> mod_tls looks like the right approach, technically, but why not "add
> mod_tls to mod_ssl", which gives us (and the world) a world-class SSL
> server based on the World-class HTTP server? That could be a basis where
> collaboration would make sense, and other mod_ssl/Apache-SSL users
> could help us iron out any 2.x related things.
>
> But starting from scratch is IMHO not the way to get mod_tls up and
> running within the next 2 years.
I'm going to amaze everyone by agreeing - I don't think there are enough
people interested to make this approach work. Furthermore, I'm also
quite happy to start from a ported mod_ssl as a basis (yes, really). I
would also like to stop supporting Apache-SSL, and I can only do that if
there's decent SSL support that I can work on in Apache. I agree that
mod_ssl is favoured, for whatever reason, and therefore I will now agree
to not oppose its inclusion in Apache.
However, it really should use the filter in mod_tls to do the SSL - that
was actually considerably hard to get right. And there's a bunch of
other stuff that should be done to make SSL support properly modular.
I'm happy to work with Ralf to make that happen, if the result will
belong to the ASF.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
ApacheCon 2001! http://ApacheCon.com/
