Re: Time to start planning for httpd 2.3.11-BETA ?

[Jim Jagielski]

On Feb 22, 2011, at 10:45 AM, William A. Rowe Jr. wrote:

> On 2/22/2011 9:43 AM, Graham Leggett wrote:
>> On 22 Feb 2011, at 17:13, Jim Jagielski  wrote:
>> 
>>> I think we're about ready... My plan is to T&R 2.3.11-beta the start
>>> of next week, allowing this week for some final touches...
>> 
>> Remind me, at what point does the API  freeze?
> 
> When 2.3-beta becomes 2.4.0, the API is frozen,

Yeppers... Right now, it's just slushy ;)

Re: Time to start planning for httpd 2.3.11-BETA ?

[William A. Rowe Jr.]

On 2/22/2011 9:43 AM, Graham Leggett wrote:
> On 22 Feb 2011, at 17:13, Jim Jagielski  wrote:
> 
>> I think we're about ready... My plan is to T&R 2.3.11-beta the start
>> of next week, allowing this week for some final touches...
> 
> Remind me, at what point does the API  freeze?

When 2.3-beta becomes 2.4.0, the API is frozen, and 2.3-beta forks to
a 2.5 working branch for forward API actions into 2.6 or 3.0

Re: Time to start planning for httpd 2.3.11-BETA ?

[Graham Leggett]

On 22 Feb 2011, at 17:13, Jim Jagielski  wrote:

> I think we're about ready... My plan is to T&R 2.3.11-beta the start
> of next week, allowing this week for some final touches...

Remind me, at what point does the API  freeze?

Regards,
Graham
--

Re: Time to start planning for httpd 2.3.11-BETA ?

[Jim Jagielski]

I think we're about ready... My plan is to T&R 2.3.11-beta the start
of next week, allowing this week for some final touches...


On Feb 10, 2011, at 9:27 AM, Jim Jagielski wrote:

> Let's commit to pushing for a 2.3.11-BETA...
> 

Re: Time to start planning for httpd 2.3.11-BETA ?

[Jim Jagielski]

On Feb 14, 2011, at 5:00 PM, William A. Rowe Jr. wrote:

> On 2/12/2011 10:14 AM, Stefan Fritsch wrote:
>> On Thursday 10 February 2011, Jim Jagielski wrote:
>>> Let's commit to pushing for a 2.3.11-BETA...
>> 
>> +1
>> 
>> One question: How do we handle truly experimental modules (e.g. 
>> mpm_simple, mod_serf). Move them into an experimental subdir before 
>> branching or branch first and then move stuff around? Or just mark 
>> them as experimental in the docs and maybe in configure?
> 
> IMHO, all 'experiments' should be provided in all alpha and beta
> tarballs (disabled by default, obviously).
> 
> When 2.4 is forked, these can be cast out of the tarball and provided
> separately until they have the support of the developers.  It seems
> too many legitimate bits have been left in the dumpster of experimental
> for too long in the past, and having a clear 'promote before GA' policy
> would help recruit eyeballs to elevate them to code with oversight.

+1

Re: Time to start planning for httpd 2.3.11-BETA ?

[William A. Rowe Jr.]

On 2/14/2011 12:21 PM, Nick Kew wrote:
> On Mon, 14 Feb 2011 09:20:49 -0800
> "Gregg L. Smith"  wrote:
> 
>> Hi folks,
>>
>> In the spirit of beta, could we get the last missing module that I know of, 
>> mod_authn_socache, in the Windows build? Reading it's doc it sounds like a 
>> good module to have if using dbd for authentication.
> 
> Should be a useful module for dbd-authn users on any platform!
> But I don't have a windows platform to test on.

I'm happy to do this, or review this if someone has beaten me to it
before Wednesday.

Re: Time to start planning for httpd 2.3.11-BETA ?

[William A. Rowe Jr.]

On 2/12/2011 10:14 AM, Stefan Fritsch wrote:
> On Thursday 10 February 2011, Jim Jagielski wrote:
>> Let's commit to pushing for a 2.3.11-BETA...
> 
> +1
> 
> One question: How do we handle truly experimental modules (e.g. 
> mpm_simple, mod_serf). Move them into an experimental subdir before 
> branching or branch first and then move stuff around? Or just mark 
> them as experimental in the docs and maybe in configure?

IMHO, all 'experiments' should be provided in all alpha and beta
tarballs (disabled by default, obviously).

When 2.4 is forked, these can be cast out of the tarball and provided
separately until they have the support of the developers.  It seems
too many legitimate bits have been left in the dumpster of experimental
for too long in the past, and having a clear 'promote before GA' policy
would help recruit eyeballs to elevate them to code with oversight.

WDYAT?

Re: Time to start planning for httpd 2.3.11-BETA ?

[Nick Kew]

On Mon, 14 Feb 2011 09:20:49 -0800
"Gregg L. Smith"  wrote:

> Hi folks,
> 
> In the spirit of beta, could we get the last missing module that I know of, 
> mod_authn_socache, in the Windows build? Reading it's doc it sounds like a 
> good module to have if using dbd for authentication.

Should be a useful module for dbd-authn users on any platform!
But I don't have a windows platform to test on.

> It currently crashes if loaded without any configuration in Windows, it may 
> even crash with configuration for all I know but I do not have a setup to use 
> to configure it for at the moment. 

When does it crash?  At startup, or when processing requests?

Are you in a position to send any diagnostic information
like a traceback that could help us find a bug?

Are you running any other modules that use socache?


-- 
Nick Kew

Available for work, contract or permanent.
http://www.webthing.com/~nick/cv.html

Re: Time to start planning for httpd 2.3.11-BETA ?

[Jim Jagielski]

Thx! I'm not a Windows user so any info/update/patches are
extremely welcome!

On Feb 14, 2011, at 12:20 PM, Gregg L. Smith wrote:

> Hi folks,
> 
> In the spirit of beta, could we get the last missing module that I know of, 
> mod_authn_socache, in the Windows build? Reading it's doc it sounds like a 
> good module to have if using dbd for authentication.
> 
> It currently crashes if loaded without any configuration in Windows, it may 
> even crash with configuration for all I know but I do not have a setup to use 
> to configure it for at the moment.
> 
> So if there are no objections I'd like to have it added.
> 
> Regards,
> 
> Gregg
> 
> 
> -Original Message-
> From: Jim Jagielski 
> To: dev@httpd.apache.org
> Date: Thu, 10 Feb 2011 09:27:32 -0500
> Subject: Time to start planning for httpd 2.3.11-BETA ?
> 
> Let's commit to pushing for a 2.3.11-BETA...
> 
> 
> 
> 
> 
> 
> 
> 
> 

Re: Time to start planning for httpd 2.3.11-BETA ?

[Gregg L. Smith]

Hello again,

This get's our httpd.conf file in Windows up to date with what is actually 
being put on the file system with respect to modules. Applies with offset -1 if 
applied before mod_authn_socache addition in my prior email.

Regards,

Gregg

-Original Message-
From: Jim Jagielski 
To: dev@httpd.apache.org
Date: Thu, 10 Feb 2011 09:27:32 -0500
Subject: Time to start planning for httpd 2.3.11-BETA ?

Let's commit to pushing for a 2.3.11-BETA...






awk_full_module_list.diff
Description: Binary data

Re: Time to start planning for httpd 2.3.11-BETA ?

[Gregg L. Smith]

Hi folks,

In the spirit of beta, could we get the last missing module that I know of, 
mod_authn_socache, in the Windows build? Reading it's doc it sounds like a good 
module to have if using dbd for authentication.

It currently crashes if loaded without any configuration in Windows, it may 
even crash with configuration for all I know but I do not have a setup to use 
to configure it for at the moment.

So if there are no objections I'd like to have it added.

Regards,

Gregg


-Original Message-
From: Jim Jagielski 
To: dev@httpd.apache.org
Date: Thu, 10 Feb 2011 09:27:32 -0500
Subject: Time to start planning for httpd 2.3.11-BETA ?

Let's commit to pushing for a 2.3.11-BETA...










mod_authn_socache_winbuild .diff
Description: Binary data

Re: Time to start planning for httpd 2.3.11-BETA ?

[Stefan Fritsch]

On Thursday 10 February 2011, Jim Jagielski wrote:
> Let's commit to pushing for a 2.3.11-BETA...

+1

One question: How do we handle truly experimental modules (e.g. 
mpm_simple, mod_serf). Move them into an experimental subdir before 
branching or branch first and then move stuff around? Or just mark 
them as experimental in the docs and maybe in configure?

Re: Time to start planning for httpd 2.3.11-BETA ?

[Kaspar Brand]

On 10.02.2011 15:27, Jim Jagielski wrote:
> Let's commit to pushing for a 2.3.11-BETA...

I would certainly welcome that - what about the two (small) patches I
proposed about three weeks ago? Original message attached, for easier
reference.

Kaspar
--- Begin Message ---
On 17.01.2011 15:27, Dr Stephen Henson wrote:
> On 17/01/2011 13:39, Joe Orton wrote:
>> w.r.t. the change to skip OCSP validation for valid self-signed certs, I 
>> brought this up a while back:
>>
>> http://www.mail-archive.com/dev@httpd.apache.org/msg38849.html
>>
>> and Stephen said it probably be configurable.  Has common practice 
>> evolved here such that hard-coding the less strict behaviour is 
>> reasonable?

The only case where checking self-signed, self-issued certs really makes
sense is the one mentioned by Steve - when an OCSP responder with an
explicitly trusted public key is used (case #3 in Steve's mail, in RFC
2560 section 2.2 it's called "Trusted Responder"). Certainly not a
common configuration for "In_ter_net" deployments, but maybe of use for
corporate/In_tra_net environments.

> I still believe it should be configurable.
> 
> A root CA can be revoked for a number of reasons although key compromise has
> security issues if the responder certificate is part of the chain (i.e. cases 
> #1
> and #2 in that message).

Remember such a root cert (trust anchor) will previously have been
configured through SSLCACertificateFile/SSLCACertificatePath anyway, so
the only "advantage" of OCSP checks for these would actually be that it
amounts to some kind of "alerting" feature for the admin - making him
aware of invalid root certs in his trust store. Once realized, he would
then certainly be better off with completely removing these roots from
the httpd config.

> Apache OCSP AFAIK currently doesn't handle case #3 at all (trusting responders
> with keys trusted by some out of band means).
> 
> There is a fix/enhancement for this (which also addresses the issue Steve
> Marquess brought up) in PR46037.

I don't mind adding support for trusted responders, but until that
happens, I consider hard-coding mod_ssl to skip OCSP checks for valid
self-signed certs a sensible choice. Even when support for trusted
responder is added, I don't think it needs to be configurable - it can
be enabled/disabled based on the existence of trusted responders in the
config (relying on the absence/presence of the OCSP_TRUSTOTHER verify
flag, effectively).

For convenience, I'm attaching the snippet which hasn't been committed yet.

Another small patch to mod_ssl, which I consider low-hanging fruit, is
attached to PR 48215
(https://issues.apache.org/bugzilla/attachment.cgi?id=24583).

Kaspar
Index: modules/ssl/ssl_engine_ocsp.c
===
--- modules/ssl/ssl_engine_ocsp.c   (revision 1060819)
+++ modules/ssl/ssl_engine_ocsp.c   (working copy)
@@ -252,6 +252,12 @@
 apr_pool_t *vpool;
 int rv;
 
+/* don't do OCSP checking for valid self-issued certs */
+if (cert->valid && X509_check_issued(cert,cert) == X509_V_OK) {
+X509_STORE_CTX_set_error(ctx, X509_V_OK);
+return 1;
+}
+
 /* Create a temporary pool to constrain memory use (the passed-in
  * pool may be e.g. a connection pool). */
 apr_pool_create(&vpool, pool);
--- End Message ---

Time to start planning for httpd 2.3.11-BETA ?

[Jim Jagielski]

Let's commit to pushing for a 2.3.11-BETA...