Static TLS ticket keys (Re: svn commit: r1200040 - in /httpd/httpd/trunk: CHANGES modules/ssl/mod_ssl.c modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_init.c modules/ssl/ssl_engine_kernel.c mo

2011-12-07 Thread Kaspar Brand 
On 20.11.2011 11:37, Kaspar Brand wrote:
 I see. What I don't completely understand yet, however, is the need /
 use case for keeping multiple decryption keys around per
 SSLSrvConfigRec. When switching to a new key (with a reload/restart),
 session tickets encrypted with the previous keys should no longer get
 decrypted - otherwise those sessions effectively become perpetual... or
 am I overlooking something?
 
 I.e., could we just drop the SSLTicketKeyDefault directive and remove
 the keyname part from SSLTicketKeyFile, so that there's simply one
 ticket key (file) per SSLSrvConfigRec? That would make the configuration
 simpler, IMO.

Replying to myself (sorry), but this should be sorted out before 2.4.0,
IMO. Unless there are strong arguments for keeping the
multiple-decryption-keys-per-SSL-context feature, I think that this
option should be removed - i.e., only allow to configure one key per
vhost with the SSLTicketKeyFile directive (I can take care of that if no
one beats me to it).

The following post from Adam Langley might also be of interest in this
context - it summarizes Google's recent improvements in the HTTPS area:
http://www.imperialviolet.org/2011/11/22/forwardsecret.html (one of them
is about session tickets... and note that they do not use persistent
storage for these ephemeral keys).

Kaspar

questions about document_root

2011-12-07 Thread Rui Hu 
Hi,
I want to modify apache core to implement a function which can achieve
following expectations:

when I request 1000.xxx.com/test.php ( curl 1000.xxx.com/test.php),
originally apache will get absolute address as $document_root/test.php, but
I want apache to get $document_root/1000/test.php. Namely, apache will
parse 1000 from the request URI to form absolute address. Then php-cgi
can get this php script to execute.

Previously, I just modified PHP zend to achieve this function. But
considering that other language support would be added to the system such
as Python, therefore, modifying Web Server (apache) is a more convenient
way.

But I'm worried that this modification will result in some unexpected
errors in some modules, and I don't know what's the best place I should
modify. Should I modify the $document_root or $request_uri ?

Really appreciate your help.


-- 
Best regards,

Rui Hu

State Key Laboratory of Networking  Switching Technology
Beijing University of Posts and Telecommunications(BUPT)
MSN: tchrb...@gmail.com
-

Re: questions about document_root

2011-12-07 Thread Nick Kew 

On 7 Dec 2011, at 10:54, Rui Hu wrote:

 Hi, 
 I want to modify apache core to implement a function which can achieve 
 following expectations:

That's a simple task for a simple module.

Since you talk of modifying the core, I infer you're not familiar with the 
modular structure.
If I might indulge in a bit of self-promotion, a startingpoint for this is 
ISBN: 0-13-240967-4
(also http://www.apachetutor.org/ )

-- 
Nick Kew

Re: svn commit: r1209766 [9/12] - in /httpd/httpd/trunk: docs/log-message-tags/ modules/aaa/ modules/apreq/ modules/arch/netware/ modules/arch/unix/ modules/arch/win32/ modules/cache/ modules/cluster/

2011-12-07 Thread Kaspar Brand 
On 03.12.2011 00:02, s...@apache.org wrote:
 Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_log.c
 URL: 
 http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_log.c?rev=1209766r1=1209765r2=1209766view=diff
 ==
 --- httpd/httpd/trunk/modules/ssl/ssl_engine_log.c (original)
 +++ httpd/httpd/trunk/modules/ssl/ssl_engine_log.c Fri Dec  2 23:02:04 2011
 @@ -94,7 +94,7 @@ void ssl_log_ssl_error(const char *file,
  annotation = ssl_log_annotation(err);
  
  ap_log_error(file, line, APLOG_MODULE_INDEX, level, 0, s,
 - SSL Library Error: %s%s%s%s%s%s,
 + APLOGNO(02021) SSL Library Error: %s%s%s%s%s%s,
   /* %s */
   err,
   /* %s%s%s */
 @@ -135,7 +135,7 @@ static void ssl_log_cert_error(const cha
   */
  int maxdnlen = (HUGE_STRING_LEN - msglen - 300) / 2;
  
 -BIO_puts(bio,  [subject: );
 +BIO_puts(bio, APLOGNO(02022)  [subject: );
  name = SSL_X509_NAME_to_string(p, X509_get_subject_name(cert),
 maxdnlen);
  if (!strIsEmpty(name)) {
 @@ -174,7 +174,7 @@ static void ssl_log_cert_error(const cha
  }
  else {
  apr_snprintf(buf + msglen, sizeof buf - msglen,
 -  [certificate: -not available-]);
 + APLOGNO(02023)  [certificate: -not available-]);
  }
  
  if (r) {
 

These changes aren't doing the right thing, I think... both
ssl_log_ssl_error() and ssl_log_cert_error() are basically wrappers for
ap_log_*(), and are therefore called from various places in mod_ssl -
i.e. the messages triggering them should get different tags. (Also, in
the case of ssl_log_cert_error, the error tag is currently inserted
somewhere in the middle of the message, because ssl_log_cert_error
appends to a message already stored in buf.)

ssl_log_ssl_error is (virtually?) always called in combination with
ap_log_*, so we might do without a tag for these messages - or
otherwise, modify ssl_log_ssl_error to allow a tag to be passed in, and
then use the same tag in both log calls (?). Finally, as far as
ssl_log_xerror/ssl_log_cxerror/ssl_log_rxerror are concerned, would it
be possible to extend the Coccinelle patch file so that these are also
recognized?

Kaspar

heartbeat.h

2011-12-07 Thread Joe Orton 
Is heartbeat.h supposed to be part of the public API?  It contains a 
single structure, no explanation of what it is for.  Joe

Re: Are we there yet?

2011-12-07 Thread William A. Rowe Jr. 
I'd like to see us ship the bundled apr sources (well, I'd like to
see NO bundled apr sources, but...) to include the APR_HAS_IPV6 for
our windows apr.hw, given that all win platforms supported /today/
have support, and it works out quite well.

Of course it's a deep intrinsic change in the build (something that
didn't have to happen, but c'est la vie)... and would be incompatible
for with older httpd's and some third party modules.

To mark the auspicious occasion, what would folks think of shifting
to apr 1.5 so that post-1.4 is the dividing line, for simplicities
sake?  Or, other suggestions about bridging that divide?

Re: svn commit: r1209766 [9/12] - in /httpd/httpd/trunk: docs/log-message-tags/ modules/aaa/ modules/apreq/ modules/arch/netware/ modules/arch/unix/ modules/arch/win32/ modules/cache/ modules/cluster/

2011-12-07 Thread Stefan Fritsch 
On Wednesday 07 December 2011, Kaspar Brand wrote:
 These changes aren't doing the right thing, I think... both
 ssl_log_ssl_error() and ssl_log_cert_error() are basically wrappers
 for ap_log_*(), and are therefore called from various places in
 mod_ssl - i.e. the messages triggering them should get different
 tags. (Also, in the case of ssl_log_cert_error, the error tag is
 currently inserted somewhere in the middle of the message, because
 ssl_log_cert_error appends to a message already stored in buf.)
 
 ssl_log_ssl_error is (virtually?) always called in combination with
 ap_log_*, so we might do without a tag for these messages - or
 otherwise, modify ssl_log_ssl_error to allow a tag to be passed in,
 and then use the same tag in both log calls (?). Finally, as far
 as ssl_log_xerror/ssl_log_cxerror/ssl_log_rxerror are concerned,
 would it be possible to extend the Coccinelle patch file so that
 these are also recognized?

Good point. Fixed/added in r1211680. I have not modified 
ssl_log_ssl_error() besides removing the tag. It's really only called 
together with some other log message, so the tag doesn't add any 
value.

Re: questions about document_root

2011-12-07 Thread Rui Hu 
Thanks for you advice. I just started to learn Apache  PHP.

I looked up the code of PHP and apache2, and found that PHP gets docroot
from environment var $DOCUMENT_ROOT. However in apache, I cannot find any
code which assign this var.

I googled but got nothing. Can you please show me the detailed process
generating $DOCUMENT_ROOT in $_SERVER from apache to php. Thank you very
much!



2011/12/7 Nick Kew n...@webthing.com


 On 7 Dec 2011, at 10:54, Rui Hu wrote:

  Hi,
  I want to modify apache core to implement a function which can achieve
 following expectations:

 That's a simple task for a simple module.

 Since you talk of modifying the core, I infer you're not familiar with the
 modular structure.
 If I might indulge in a bit of self-promotion, a startingpoint for this is
 ISBN: 0-13-240967-4
 (also http://www.apachetutor.org/ )

 --
 Nick Kew




-- 
Best regards,

Rui Hu

State Key Laboratory of Networking  Switching Technology
Beijing University of Posts and Telecommunications(BUPT)
MSN: tchrb...@gmail.com
-

Re: questions about document_root

2011-12-07 Thread Mark Montague 

On December 7, 2011 23:23 , Rui Hu tchrb...@gmail.com wrote:
I looked up the code of PHP and apache2, and found that PHP gets 
docroot from environment var $DOCUMENT_ROOT. However in apache, I 
cannot find any code which assign this var.


I googled but got nothing. Can you please show me the detailed process 
generating $DOCUMENT_ROOT in $_SERVER from apache to php. Thank you 
very much!


If you invoke PHP as a CGI, then Apache HTTP Server sets DOCUMENT_ROOT 
in the function ap_add_common_vars() which is in the file 
server/util_script.c


See line 237,

https://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/server/util_script.c?revision=1100216view=markup


--
  Mark Montague
  m...@catseye.org

Re: questions about document_root

2011-12-07 Thread Rui Hu 
2011/12/8 Rui Hu tchrb...@gmail.com

 Is $DOCUMENT_ROOT in php-cgi determined by ap_add_common_vars() in Apache?
 It seems not to me. I commented the line 237 assigning DOCUMENT_ROOT and
 re-compiled apache. php-cgi still works fine. It seems that $DUCUMENT_ROOT
 in php-cgi is not determined by this function.

 I looked up php's code, php-cgi gets DOCUMENT_ROOT in following codes:

 /* DOCUMENT_ROOT */
 value = lstFset_get(rc-t-vars, docroot);
 if (value != NULL)
   php_register_variable(DOCUMENT_ROOT, value, track_vars_array
 TSRMLS_CC);

 It gets docroot from a k-v table and the key is docroot. In above code,
 rc-t is a  variables of httpTtrans.


 2011/12/8 Mark Montague m...@catseye.org

 On December 7, 2011 23:23 , Rui Hu tchrb...@gmail.com wrote:

 I looked up the code of PHP and apache2, and found that PHP gets docroot
 from environment var $DOCUMENT_ROOT. However in apache, I cannot find any
 code which assign this var.

 I googled but got nothing. Can you please show me the detailed process
 generating $DOCUMENT_ROOT in $_SERVER from apache to php. Thank you very
 much!


 If you invoke PHP as a CGI, then Apache HTTP Server sets DOCUMENT_ROOT in
 the function ap_add_common_vars() which is in the file server/util_script.c

 See line 237,

 https://svn.apache.org/viewvc/**httpd/httpd/branches/2.2.x/**
 server/util_script.c?revision=**1100216view=markuphttps://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/server/util_script.c?revision=1100216view=markup


 --
  Mark Montague
  m...@catseye.org




 --
 Best regards,

 Rui Hu

 
 State Key Laboratory of Networking  Switching Technology
 Beijing University of Posts and Telecommunications(BUPT)
 MSN: tchrb...@gmail.com

 -





-- 
Best regards,

Rui Hu

State Key Laboratory of Networking  Switching Technology
Beijing University of Posts and Telecommunications(BUPT)
MSN: tchrb...@gmail.com
-