Re: [PATCH] mod_ssl APIs to allow implementation of Certificate Transparency as a separate mod
On Mon, Apr 14, 2014 at 11:29 AM, Joe Orton jor...@redhat.com wrote: On Mon, Apr 14, 2014 at 08:32:18AM -0400, Jeff Trawick wrote: FWIW, I think it is reasonable to say This *is* a private mod_ssl interface for the purposes of introducing some modularity within this particular SSL/TLS implementation, and these interfaces aren't intended for third-party modules. That's not how I coded it, but now that somebody has actually looked I'm curious about your thoughts. Hmmm, I think the only distinction that matters is whether it's in a header installed by make install. I don't think we can successfully hide private APIs in public headers, modules will use them regardless of the here be dragons comments - or e.g. CORE_PRIVATE! Regards, Joe Well, yes ;) But punt for now. In the short term I need it to be easy to build the CT module outside of httpd, so install it is. -- Born in Roswell... married an alien... http://emptyhammock.com/ http://edjective.org/
Re: [PATCH] mod_ssl APIs to allow implementation of Certificate Transparency as a separate mod
On Sat, Apr 12, 2014 at 09:00:08AM -0400, Jeff Trawick wrote: So... Concerns? Suggestions? Etc.? Speak up, or forever* ask me to fix it after committing ;) (*Let's not be ridiculous though) Interesting stuff! I do think it is preferable to keep mod_ssl.h toolkit-agnostic. Because the API you are adding is not indended to be private, I'd suggest mod_ssl_openssl.h or something like that instead. Regards, Joe
Re: [PATCH] mod_ssl APIs to allow implementation of Certificate Transparency as a separate mod
On 14 Apr 2014, at 2:03 PM, Joe Orton jor...@redhat.com wrote: Interesting stuff! I do think it is preferable to keep mod_ssl.h toolkit-agnostic. +1. Because the API you are adding is not indended to be private, I'd suggest mod_ssl_openssl.h or something like that instead. Pass what you need as DER encoded structures, that way can can swap backends and they will still work. Regards, Graham --
Re: [PATCH] mod_ssl APIs to allow implementation of Certificate Transparency as a separate mod
On Mon, Apr 14, 2014 at 8:03 AM, Joe Orton jor...@redhat.com wrote: On Sat, Apr 12, 2014 at 09:00:08AM -0400, Jeff Trawick wrote: So... Concerns? Suggestions? Etc.? Speak up, or forever* ask me to fix it after committing ;) (*Let's not be ridiculous though) Interesting stuff! I do think it is preferable to keep mod_ssl.h toolkit-agnostic. Because the API you are adding is not indended to be private, I'd suggest mod_ssl_openssl.h or something like that instead. I'll do that. FWIW, I think it is reasonable to say This *is* a private mod_ssl interface for the purposes of introducing some modularity within this particular SSL/TLS implementation, and these interfaces aren't intended for third-party modules. That's not how I coded it, but now that somebody has actually looked I'm curious about your thoughts. Regards, Joe -- Born in Roswell... married an alien... http://emptyhammock.com/ http://edjective.org/
Re: [PATCH] mod_ssl APIs to allow implementation of Certificate Transparency as a separate mod
On Mon, Apr 14, 2014 at 8:14 AM, Graham Leggett minf...@sharp.fm wrote: On 14 Apr 2014, at 2:03 PM, Joe Orton jor...@redhat.com wrote: Interesting stuff! I do think it is preferable to keep mod_ssl.h toolkit-agnostic. +1. Because the API you are adding is not indended to be private, I'd suggest mod_ssl_openssl.h or something like that instead. Pass what you need as DER encoded structures, that way can can swap backends and they will still work. Pragmatically, what I need is to make OpenSSL calls at certain points (e.g., augment the type of setup that mod_ssl is doing). I'm not in a position (i.e., many days with nothing to do) to create enough generic interfaces to allow arbitrary mod_foo+FooSSL to implement CT. The generic TLS extension APIs submitted earlier were just a start, and even those needed additional work. Regards, Graham -- -- Born in Roswell... married an alien... http://emptyhammock.com/ http://edjective.org/
Re: [PATCH] mod_ssl APIs to allow implementation of Certificate Transparency as a separate mod
On Mon, Apr 14, 2014 at 08:32:18AM -0400, Jeff Trawick wrote: FWIW, I think it is reasonable to say This *is* a private mod_ssl interface for the purposes of introducing some modularity within this particular SSL/TLS implementation, and these interfaces aren't intended for third-party modules. That's not how I coded it, but now that somebody has actually looked I'm curious about your thoughts. Hmmm, I think the only distinction that matters is whether it's in a header installed by make install. I don't think we can successfully hide private APIs in public headers, modules will use them regardless of the here be dragons comments - or e.g. CORE_PRIVATE! Regards, Joe