Static TLS ticket keys (Re: svn commit: r1200040 - in /httpd/httpd/trunk: CHANGES modules/ssl/mod_ssl.c modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_init.c modules/ssl/ssl_engine_kernel.c mo
On 20.11.2011 11:37, Kaspar Brand wrote: I see. What I don't completely understand yet, however, is the need / use case for keeping multiple decryption keys around per SSLSrvConfigRec. When switching to a new key (with a reload/restart), session tickets encrypted with the previous keys should no longer get decrypted - otherwise those sessions effectively become perpetual... or am I overlooking something? I.e., could we just drop the SSLTicketKeyDefault directive and remove the keyname part from SSLTicketKeyFile, so that there's simply one ticket key (file) per SSLSrvConfigRec? That would make the configuration simpler, IMO. Replying to myself (sorry), but this should be sorted out before 2.4.0, IMO. Unless there are strong arguments for keeping the multiple-decryption-keys-per-SSL-context feature, I think that this option should be removed - i.e., only allow to configure one key per vhost with the SSLTicketKeyFile directive (I can take care of that if no one beats me to it). The following post from Adam Langley might also be of interest in this context - it summarizes Google's recent improvements in the HTTPS area: http://www.imperialviolet.org/2011/11/22/forwardsecret.html (one of them is about session tickets... and note that they do not use persistent storage for these ephemeral keys). Kaspar
questions about document_root
Hi, I want to modify apache core to implement a function which can achieve following expectations: when I request 1000.xxx.com/test.php ( curl 1000.xxx.com/test.php), originally apache will get absolute address as $document_root/test.php, but I want apache to get $document_root/1000/test.php. Namely, apache will parse 1000 from the request URI to form absolute address. Then php-cgi can get this php script to execute. Previously, I just modified PHP zend to achieve this function. But considering that other language support would be added to the system such as Python, therefore, modifying Web Server (apache) is a more convenient way. But I'm worried that this modification will result in some unexpected errors in some modules, and I don't know what's the best place I should modify. Should I modify the $document_root or $request_uri ? Really appreciate your help. -- Best regards, Rui Hu State Key Laboratory of Networking Switching Technology Beijing University of Posts and Telecommunications(BUPT) MSN: tchrb...@gmail.com -
Re: questions about document_root
On 7 Dec 2011, at 10:54, Rui Hu wrote: Hi, I want to modify apache core to implement a function which can achieve following expectations: That's a simple task for a simple module. Since you talk of modifying the core, I infer you're not familiar with the modular structure. If I might indulge in a bit of self-promotion, a startingpoint for this is ISBN: 0-13-240967-4 (also http://www.apachetutor.org/ ) -- Nick Kew
Re: svn commit: r1209766 [9/12] - in /httpd/httpd/trunk: docs/log-message-tags/ modules/aaa/ modules/apreq/ modules/arch/netware/ modules/arch/unix/ modules/arch/win32/ modules/cache/ modules/cluster/
On 03.12.2011 00:02, s...@apache.org wrote: Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_log.c URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_log.c?rev=1209766r1=1209765r2=1209766view=diff == --- httpd/httpd/trunk/modules/ssl/ssl_engine_log.c (original) +++ httpd/httpd/trunk/modules/ssl/ssl_engine_log.c Fri Dec 2 23:02:04 2011 @@ -94,7 +94,7 @@ void ssl_log_ssl_error(const char *file, annotation = ssl_log_annotation(err); ap_log_error(file, line, APLOG_MODULE_INDEX, level, 0, s, - SSL Library Error: %s%s%s%s%s%s, + APLOGNO(02021) SSL Library Error: %s%s%s%s%s%s, /* %s */ err, /* %s%s%s */ @@ -135,7 +135,7 @@ static void ssl_log_cert_error(const cha */ int maxdnlen = (HUGE_STRING_LEN - msglen - 300) / 2; -BIO_puts(bio, [subject: ); +BIO_puts(bio, APLOGNO(02022) [subject: ); name = SSL_X509_NAME_to_string(p, X509_get_subject_name(cert), maxdnlen); if (!strIsEmpty(name)) { @@ -174,7 +174,7 @@ static void ssl_log_cert_error(const cha } else { apr_snprintf(buf + msglen, sizeof buf - msglen, - [certificate: -not available-]); + APLOGNO(02023) [certificate: -not available-]); } if (r) { These changes aren't doing the right thing, I think... both ssl_log_ssl_error() and ssl_log_cert_error() are basically wrappers for ap_log_*(), and are therefore called from various places in mod_ssl - i.e. the messages triggering them should get different tags. (Also, in the case of ssl_log_cert_error, the error tag is currently inserted somewhere in the middle of the message, because ssl_log_cert_error appends to a message already stored in buf.) ssl_log_ssl_error is (virtually?) always called in combination with ap_log_*, so we might do without a tag for these messages - or otherwise, modify ssl_log_ssl_error to allow a tag to be passed in, and then use the same tag in both log calls (?). Finally, as far as ssl_log_xerror/ssl_log_cxerror/ssl_log_rxerror are concerned, would it be possible to extend the Coccinelle patch file so that these are also recognized? Kaspar
heartbeat.h
Is heartbeat.h supposed to be part of the public API? It contains a single structure, no explanation of what it is for. Joe
Re: Are we there yet?
I'd like to see us ship the bundled apr sources (well, I'd like to see NO bundled apr sources, but...) to include the APR_HAS_IPV6 for our windows apr.hw, given that all win platforms supported /today/ have support, and it works out quite well. Of course it's a deep intrinsic change in the build (something that didn't have to happen, but c'est la vie)... and would be incompatible for with older httpd's and some third party modules. To mark the auspicious occasion, what would folks think of shifting to apr 1.5 so that post-1.4 is the dividing line, for simplicities sake? Or, other suggestions about bridging that divide?
Re: svn commit: r1209766 [9/12] - in /httpd/httpd/trunk: docs/log-message-tags/ modules/aaa/ modules/apreq/ modules/arch/netware/ modules/arch/unix/ modules/arch/win32/ modules/cache/ modules/cluster/
On Wednesday 07 December 2011, Kaspar Brand wrote: These changes aren't doing the right thing, I think... both ssl_log_ssl_error() and ssl_log_cert_error() are basically wrappers for ap_log_*(), and are therefore called from various places in mod_ssl - i.e. the messages triggering them should get different tags. (Also, in the case of ssl_log_cert_error, the error tag is currently inserted somewhere in the middle of the message, because ssl_log_cert_error appends to a message already stored in buf.) ssl_log_ssl_error is (virtually?) always called in combination with ap_log_*, so we might do without a tag for these messages - or otherwise, modify ssl_log_ssl_error to allow a tag to be passed in, and then use the same tag in both log calls (?). Finally, as far as ssl_log_xerror/ssl_log_cxerror/ssl_log_rxerror are concerned, would it be possible to extend the Coccinelle patch file so that these are also recognized? Good point. Fixed/added in r1211680. I have not modified ssl_log_ssl_error() besides removing the tag. It's really only called together with some other log message, so the tag doesn't add any value.
Re: questions about document_root
Thanks for you advice. I just started to learn Apache PHP. I looked up the code of PHP and apache2, and found that PHP gets docroot from environment var $DOCUMENT_ROOT. However in apache, I cannot find any code which assign this var. I googled but got nothing. Can you please show me the detailed process generating $DOCUMENT_ROOT in $_SERVER from apache to php. Thank you very much! 2011/12/7 Nick Kew n...@webthing.com On 7 Dec 2011, at 10:54, Rui Hu wrote: Hi, I want to modify apache core to implement a function which can achieve following expectations: That's a simple task for a simple module. Since you talk of modifying the core, I infer you're not familiar with the modular structure. If I might indulge in a bit of self-promotion, a startingpoint for this is ISBN: 0-13-240967-4 (also http://www.apachetutor.org/ ) -- Nick Kew -- Best regards, Rui Hu State Key Laboratory of Networking Switching Technology Beijing University of Posts and Telecommunications(BUPT) MSN: tchrb...@gmail.com -
Re: questions about document_root
On December 7, 2011 23:23 , Rui Hu tchrb...@gmail.com wrote: I looked up the code of PHP and apache2, and found that PHP gets docroot from environment var $DOCUMENT_ROOT. However in apache, I cannot find any code which assign this var. I googled but got nothing. Can you please show me the detailed process generating $DOCUMENT_ROOT in $_SERVER from apache to php. Thank you very much! If you invoke PHP as a CGI, then Apache HTTP Server sets DOCUMENT_ROOT in the function ap_add_common_vars() which is in the file server/util_script.c See line 237, https://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/server/util_script.c?revision=1100216view=markup -- Mark Montague m...@catseye.org
Re: questions about document_root
2011/12/8 Rui Hu tchrb...@gmail.com Is $DOCUMENT_ROOT in php-cgi determined by ap_add_common_vars() in Apache? It seems not to me. I commented the line 237 assigning DOCUMENT_ROOT and re-compiled apache. php-cgi still works fine. It seems that $DUCUMENT_ROOT in php-cgi is not determined by this function. I looked up php's code, php-cgi gets DOCUMENT_ROOT in following codes: /* DOCUMENT_ROOT */ value = lstFset_get(rc-t-vars, docroot); if (value != NULL) php_register_variable(DOCUMENT_ROOT, value, track_vars_array TSRMLS_CC); It gets docroot from a k-v table and the key is docroot. In above code, rc-t is a variables of httpTtrans. 2011/12/8 Mark Montague m...@catseye.org On December 7, 2011 23:23 , Rui Hu tchrb...@gmail.com wrote: I looked up the code of PHP and apache2, and found that PHP gets docroot from environment var $DOCUMENT_ROOT. However in apache, I cannot find any code which assign this var. I googled but got nothing. Can you please show me the detailed process generating $DOCUMENT_ROOT in $_SERVER from apache to php. Thank you very much! If you invoke PHP as a CGI, then Apache HTTP Server sets DOCUMENT_ROOT in the function ap_add_common_vars() which is in the file server/util_script.c See line 237, https://svn.apache.org/viewvc/**httpd/httpd/branches/2.2.x/** server/util_script.c?revision=**1100216view=markuphttps://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/server/util_script.c?revision=1100216view=markup -- Mark Montague m...@catseye.org -- Best regards, Rui Hu State Key Laboratory of Networking Switching Technology Beijing University of Posts and Telecommunications(BUPT) MSN: tchrb...@gmail.com - -- Best regards, Rui Hu State Key Laboratory of Networking Switching Technology Beijing University of Posts and Telecommunications(BUPT) MSN: tchrb...@gmail.com -