Re: [mod_perl2] PerlChildInitHandlers with multiple (Win32) threads
Thanks for the info, its exactly what I needed. -pete Stas Bekman wrote: Peter Rothermel wrote: Stas Bekman wrote: Peter Rothermel wrote: PerlChildInitHandler Apache::foo-loadkey Will the genkey method get execute at the initialization of each thread? Apache doesn't provide such a hook yet. May be in the future. child_init is for child process init, not threads. http://perl.apache.org/release/docs/2.0/user/handlers/handlers.html#PerlChildInitHandler what are you trying to do? I'm encrypting/decrypting data within cookies that are holding session keys for authentication purposes. I decrypt the session key within the cookie data, whenever I get an http request that has a cookie in the header. The RSA keys that I use for encrytion/decryption are regenerated when the Apache server is started. My module has a load_key subroutine that I call before I do any encryption or decryption. This returns a RSA object that is initialized with a global var that hold a 2048 bit RSA key. If the global var is empty I generate a new key. The code works OK but I seem to be generating a 2048 bit key the first time that a user logs into my site. This key generation takes awhile. I would prefer generating the key when server/thread/interupter is started. I was hoping that a PerlClhildInitHandler could be used to call the gen_key subroutine to load the data into global var $private_key_string. There are a few possible approaches to this: 1. for mod_perl to provide hooks for the following events: interp_init (INIT) interp_destroy(DESTROY) so these can be run when a new interpreter is initialized after it has been cloned and when it's going to be destroyed. 2. Using the thread interpreter pool mechanism for managing other items. But it's not clear whether this interface will ever have a Perl API, because threads::shared already does that. 3. Build a pool based on threads::shared. Similar to what Doug has described in his overview: http://perl.apache.org/release/docs/2.0/user/overview/overview.html#Thread_Item_Pool_API and which is now doable in pure Perl based on threads::shared. This is an interesting vacant module, but really you can just duplicate the concepts that Doug has described in the URL above. You want to be able to add new items, remove them, pop and push from the pool. should it be called Threads::TIPool as coined by Doug? (Thread Items Pool) Using this (currently not-existing) module you can create a pool of keys at the server startup and then use them whenever you need a key at run time. This is the same concept that the threaded version of Apache::DBI is going to use, and AFAIK is vacant as well. The challenge is to make it possible to have modules like Apache::DBI work transparently under various mpms, including the preforked and perchild mpms. __ Stas BekmanJAm_pH -- Just Another mod_perl Hacker http://stason.org/ mod_perl Guide --- http://perl.apache.org mailto:[EMAIL PROTECTED] http://use.perl.org http://apacheweek.com http://modperlbook.org http://apache.org http://ticketmaster.com
[mod_perl2] PerlChildInitHandlers with multiple (Win32) threads
greetings, I'm looking for the documentation that describes how PerlChildInitHandlers work with multiple threads on Win32 platforms. Here's a specific question: I have the following in my httpd.conf: IfModule mpm_winnt.c ThreadsPerChild 10 MaxRequestsPerChild 0 /IfModule PerlChildInitHandler Apache::foo-genkey Will the genkey method get execute at the initialization of each thread? -pete
Re: [mod_perl2] PerlChildInitHandlers with multiple (Win32) threads
Peter Rothermel wrote: greetings, I'm looking for the documentation that describes how PerlChildInitHandlers work with multiple threads on Win32 platforms. Here's a specific question: I have the following in my httpd.conf: IfModule mpm_winnt.c ThreadsPerChild 10 MaxRequestsPerChild 0 /IfModule PerlChildInitHandler Apache::foo-genkey Will the genkey method get execute at the initialization of each thread? Apache doesn't provide such a hook yet. May be in the future. child_init is for child process init, not threads. http://perl.apache.org/release/docs/2.0/user/handlers/handlers.html#PerlChildInitHandler what are you trying to do? You should try to write your code in mpm-agnostic way if possible. so the same code can run under various mpms. __ Stas BekmanJAm_pH -- Just Another mod_perl Hacker http://stason.org/ mod_perl Guide --- http://perl.apache.org mailto:[EMAIL PROTECTED] http://use.perl.org http://apacheweek.com http://modperlbook.org http://apache.org http://ticketmaster.com
Re: [mod_perl2] PerlChildInitHandlers with multiple (Win32) threads
Stas Bekman wrote: Peter Rothermel wrote: PerlChildInitHandler Apache::foo-loadkey Will the genkey method get execute at the initialization of each thread? Apache doesn't provide such a hook yet. May be in the future. child_init is for child process init, not threads. http://perl.apache.org/release/docs/2.0/user/handlers/handlers.html#PerlChildInitHandler what are you trying to do? I'm encrypting/decrypting data within cookies that are holding session keys for authentication purposes. I decrypt the session key within the cookie data, whenever I get an http request that has a cookie in the header. The RSA keys that I use for encrytion/decryption are regenerated when the Apache server is started. My module has a load_key subroutine that I call before I do any encryption or decryption. This returns a RSA object that is initialized with a global var that hold a 2048 bit RSA key. If the global var is empty I generate a new key. The code works OK but I seem to be generating a 2048 bit key the first time that a user logs into my site. This key generation takes awhile. I would prefer generating the key when server/thread/interupter is started. I was hoping that a PerlClhildInitHandler could be used to call the gen_key subroutine to load the data into global var $private_key_string. my $self = shift;use vars qw($VERSION $private_key_string @ISA); sub gen_key : method { my ($self,$r) = @_; my $rlog = $r-log; my $tmprsa = Crypt::OpenSSL::RSA-new(); $rlog-notice(Generating a RSA key); $tmprsa-generate_key(2048); $private_key_string = $tmprsa-get_private_key_string(); } sub load_key : method { my ($self,$r) = @_; my $rlog = $r-log; my $rsa; if (length($private_key_string)) { $rsa = Crypt::OpenSSL::RSA-new(); $rsa-load_private_key( $private_key_string ); } else { $rsa = $self-gen_key; } return $rsa; } You should try to write your code in mpm-agnostic way if possible. so the same code can run under various mpms. __ Stas BekmanJAm_pH -- Just Another mod_perl Hacker http://stason.org/ mod_perl Guide --- http://perl.apache.org mailto:[EMAIL PROTECTED] http://use.perl.org http://apacheweek.com http://modperlbook.org http://apache.org http://ticketmaster.com
Re: [mod_perl2] PerlChildInitHandlers with multiple (Win32) threads
Peter Rothermel [EMAIL PROTECTED] writes: Stas Bekman wrote: Peter Rothermel wrote: PerlChildInitHandler Apache::foo-loadkey Will the genkey method get execute at the initialization of each thread? Apache doesn't provide such a hook yet. May be in the future. child_init is for child process init, not threads. http://perl.apache.org/release/docs/2.0/user/handlers/handlers.html#PerlChildInitHandler what are you trying to do? I'm encrypting/decrypting data within cookies that are holding session keys for authentication purposes. I decrypt the session key within the cookie data, whenever I get an http request that has a cookie in the header. What's the benefit of encrypting the session keys in the cookie? If they're randomly chosen from a very large space, the probability of guessing a valid session key can be made exactly equal to the probability of guessing the encryption key. In particular, if the *result* of the encryption is, say, a 32-bit encrypted session key, is that any more secure than simply picking a random 32-bit session key to begin with? Even with a 2048-bit encryption key, there are actually only 32 bits of space to search for a hit. (So you don't need to have a 2048-bit session key space to match the security of a 2048-bit encryption key applied to a 32-bit session key space; a 32-bit session key space alone is just as safe.) And of course the key generation, encryption, and decryption take CPU power, *and* require additional code that could have bugs, which could be security problems. I've seen people (including one client) *very* committed to this encrypted session key concept before, and I've never been able to understand what benefit it buys them. I ask because I'm NOT yet totally convinced I'm right; though I'm convinced enough that the sites I design depend on it. (One obvious answer is there are big wins for us in having session keys that *aren't* randomly chosen). -- David Dyer-Bennet, [EMAIL PROTECTED] / New TMDA anti-spam in test John Dyer-Bennet 1915-2002 Memorial Site http://john.dyer-bennet.net Book log: http://www.dd-b.net/dd-b/Ouroboros/booknotes/ New Dragaera mailing lists, see http://dragaera.info
Re: [mod_perl2] PerlChildInitHandlers with multiple (Win32) threads
David Dyer-Bennet wrote: Peter Rothermel [EMAIL PROTECTED] writes: Stas Bekman wrote: Peter Rothermel wrote: PerlChildInitHandler Apache::foo-loadkey Will the genkey method get execute at the initialization of each thread? Apache doesn't provide such a hook yet. May be in the future. child_init is for child process init, not threads. http://perl.apache.org/release/docs/2.0/user/handlers/handlers.html#PerlChildInitHandler what are you trying to do? I'm encrypting/decrypting data within cookies that are holding session keys for authentication purposes. I decrypt the session key within the cookie data, whenever I get an http request that has a cookie in the header. What's the benefit of encrypting the session keys in the cookie? If they're randomly chosen from a very large space, the probability of guessing a valid session key can be made exactly equal to the probability of guessing the encryption key. I am using the term session key in the context of the the Apache::AuthCookie module that is maintained by Michael Schout. In my system, the session key holds some group membership and access rights information that is returned by an authentication server when the user provides credentials (username, password,..) via a login page. The session key is not very large or randomly selected. In particular, if the *result* of the encryption is, say, a 32-bit encrypted session key, is that any more secure than simply picking a random 32-bit session key to begin with? Even with a 2048-bit encryption key, there are actually only 32 bits of space to search for a hit. (So you don't need to have a 2048-bit session key space to match the security of a 2048-bit encryption key applied to a 32-bit session key space; a 32-bit session key space alone is just as safe.) And of course the key generation, encryption, and decryption take CPU power, *and* require additional code that could have bugs, which could be security problems. I've seen people (including one client) *very* committed to this encrypted session key concept before, and I've never been able to understand what benefit it buys them. I ask because I'm NOT yet totally convinced I'm right; though I'm convinced enough that the sites I design depend on it. (One obvious answer is there are big wins for us in having session keys that *aren't* randomly chosen). -- David Dyer-Bennet, [EMAIL PROTECTED] / New TMDA anti-spam in test John Dyer-Bennet 1915-2002 Memorial Site http://john.dyer-bennet.net Book log: http://www.dd-b.net/dd-b/Ouroboros/booknotes/ New Dragaera mailing lists, see http://dragaera.info
Re: [mod_perl2] PerlChildInitHandlers with multiple (Win32) threads
Peter Rothermel wrote: Stas Bekman wrote: Peter Rothermel wrote: PerlChildInitHandler Apache::foo-loadkey Will the genkey method get execute at the initialization of each thread? Apache doesn't provide such a hook yet. May be in the future. child_init is for child process init, not threads. http://perl.apache.org/release/docs/2.0/user/handlers/handlers.html#PerlChildInitHandler what are you trying to do? I'm encrypting/decrypting data within cookies that are holding session keys for authentication purposes. I decrypt the session key within the cookie data, whenever I get an http request that has a cookie in the header. The RSA keys that I use for encrytion/decryption are regenerated when the Apache server is started. My module has a load_key subroutine that I call before I do any encryption or decryption. This returns a RSA object that is initialized with a global var that hold a 2048 bit RSA key. If the global var is empty I generate a new key. The code works OK but I seem to be generating a 2048 bit key the first time that a user logs into my site. This key generation takes awhile. I would prefer generating the key when server/thread/interupter is started. I was hoping that a PerlClhildInitHandler could be used to call the gen_key subroutine to load the data into global var $private_key_string. There are a few possible approaches to this: 1. for mod_perl to provide hooks for the following events: interp_init (INIT) interp_destroy(DESTROY) so these can be run when a new interpreter is initialized after it has been cloned and when it's going to be destroyed. 2. Using the thread interpreter pool mechanism for managing other items. But it's not clear whether this interface will ever have a Perl API, because threads::shared already does that. 3. Build a pool based on threads::shared. Similar to what Doug has described in his overview: http://perl.apache.org/release/docs/2.0/user/overview/overview.html#Thread_Item_Pool_API and which is now doable in pure Perl based on threads::shared. This is an interesting vacant module, but really you can just duplicate the concepts that Doug has described in the URL above. You want to be able to add new items, remove them, pop and push from the pool. should it be called Threads::TIPool as coined by Doug? (Thread Items Pool) Using this (currently not-existing) module you can create a pool of keys at the server startup and then use them whenever you need a key at run time. This is the same concept that the threaded version of Apache::DBI is going to use, and AFAIK is vacant as well. The challenge is to make it possible to have modules like Apache::DBI work transparently under various mpms, including the preforked and perchild mpms. __ Stas BekmanJAm_pH -- Just Another mod_perl Hacker http://stason.org/ mod_perl Guide --- http://perl.apache.org mailto:[EMAIL PROTECTED] http://use.perl.org http://apacheweek.com http://modperlbook.org http://apache.org http://ticketmaster.com