Re: What happened to SSLOnlyOnPort?

1999-04-23 Thread Ralf S. Engelschall

On Fri, Apr 23, 1999, James Simmons wrote:

 Really. When will this patch become availble in the main stream mod_ssl?
 Do you have some patches for it. I'm willing to try it. I have a test
 secure server to play with.

The stuff is still in my pkg.apache.listen/ source tree and not comitted
because it's not finished. What's missing is a correct matching of host:port's
which isn't trivial when one wants to do it in a general way, i.e. like the
vhost-stuff works in Apache. I append you my current state, but please keep in
mind that it's a diff against the current CVS state and not 2.2.8 (i.e. you
need to checkout a version from CVS) and that I've not tried it since over 6-8
weeks now. So I cannot say what's the current state is with the matching
stuff. But feel free to play with it and finalize it... ;) The general idea is
to provide a SSLListen directive which restricts the "SSLEngine on" and is
similar to Listen in usage.
   Ralf S. Engelschall
   [EMAIL PROTECTED]
   www.engelschall.com

Index: src/include/http_vhost.h
===
RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/include/http_vhost.h,v
retrieving revision 1.1.1.2
diff -u -r1.1.1.2 http_vhost.h
--- src/include/http_vhost.h1999/01/10 10:46:44 1.1.1.2
+++ src/include/http_vhost.h1999/01/10 16:43:41
@@ -87,6 +87,10 @@
  */
 API_EXPORT(int) ap_matches_request_vhost(request_rec *r, const char *host,
 unsigned port);
+#ifdef EAPI
+API_EXPORT(int) ap_matches_server_vhost(server_rec *s, const char *host,
+unsigned port);
+#endif
 
 #ifdef __cplusplus
 }
Index: src/main/http_vhost.c
===
RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/main/http_vhost.c,v
retrieving revision 1.1.1.2
diff -u -r1.1.1.2 http_vhost.c
--- src/main/http_vhost.c   1999/01/10 10:46:54 1.1.1.2
+++ src/main/http_vhost.c   1999/01/10 16:41:58
@@ -717,13 +717,22 @@
  * we just call it a match.  But here we require the host:port to match
  * the ServerName and/or ServerAliases.
  */
+#ifdef EAPI
+API_EXPORT(int) ap_matches_server_vhost(server_rec *s, const char *host,
+unsigned port)
+#else
 API_EXPORT(int) ap_matches_request_vhost(request_rec *r, const char *host,
 unsigned port)
+#endif
 {
+#ifndef EAPI
 server_rec *s;
+#endif
 server_addr_rec *sar;
 
+#ifndef EAPI
 s = r-server;
+#endif
 
 /* search all the VirtualHost values */
 /* XXX: If this is a NameVirtualHost then we may not be doing the Right Thing
@@ -757,6 +766,13 @@
 return matches_aliases(s, host);
 }
 
+#ifdef EAPI
+API_EXPORT(int) ap_matches_request_vhost(request_rec *r, const char *host,
+unsigned port)
+{
+return ap_matches_server_vhost(r-server, host, port);
+}
+#endif
 
 static void check_hostalias(request_rec *r)
 {
Index: src/modules/ssl/mod_ssl.c
===
RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/mod_ssl.c,v
retrieving revision 1.53
diff -u -r1.53 mod_ssl.c
--- src/modules/ssl/mod_ssl.c   1999/04/12 15:28:13 1.53
+++ src/modules/ssl/mod_ssl.c   1999/04/16 08:40:49
@@ -102,6 +102,9 @@
 AP_SRV_CMD(Engine, FLAG,
"SSL switch for the protocol engine "
"(`on', `off')")
+AP_SRV_CMD(Listen, ITERATE,
+   "restrictions for `SSLEngine on'"
+   "(`host:port')")
 AP_ALL_CMD(CipherSuite, TAKE1,
"Colon-delimited list of permitted SSL Ciphers "
"(`XXX:...:XXX' - see manual)")
Index: src/modules/ssl/mod_ssl.h
===
RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/mod_ssl.h,v
retrieving revision 1.90
diff -u -r1.90 mod_ssl.h
--- src/modules/ssl/mod_ssl.h   1999/04/16 08:50:34 1.90
+++ src/modules/ssl/mod_ssl.h   1999/04/23 17:30:24
@@ -95,6 +95,7 @@
 #include "http_protocol.h"
 #include "http_request.h"
 #include "http_main.h"
+#include "http_vhost.h"
 #include "http_core.h"
 #include "http_log.h"
 #include "scoreboard.h"
@@ -409,6 +410,14 @@
 } ssl_require_t;
 
 /*
+ * Define the SSLListen structure
+ */
+typedef struct {
+char*host;
+unsigned int port;
+} SSLListen;
+
+/*
  * Define the SSL random number generator seeding source
  */
 typedef enum {
@@ -470,6 +479,7 @@
  */
 typedef struct {
 BOOL bEnabled;
+array_header *aListen;
 char*szCertificateFile;
 char*szKeyFile;
 char*szCACertificatePath;
@@ -537,6 +547,7 @@
 const char  *ssl_cmd_SSLPassPhraseDialog(cmd_parms *, char *, char *);
 const char  *ssl_cmd_SSLRandomSeed(cmd_parms *, char *, char *, char *, char *);
 const char  *ssl_cmd_SSLEngine(cmd_parms *, char *, int flag);
+const char  *ssl_cmd_SSLListen(cmd_parms *, char *, char *);
 const char  

Re: What happened to SSLOnlyOnPort?

1999-04-22 Thread Ralf S. Engelschall

On Thu, Apr 22, 1999, David Harris wrote:

 Way back a in January I posted a patch to implement a new directive,
 SSLOnlyOnPort. It allowed the same VirtualHost section to be used for ssl
 and non-ssl requests. I remember Ralf saying he thought this was a good
 idea, and would work some equivalent functionality into mod_ssl. Well, it's
 been a while and a bunch of releases, and I'm wondering if it got dropped.
 
 Ralf, what's the status on this directive or some other directive with
 equivalent functionality?

It's still in one of my development source trees:

| rse@en1:/e/modssl/src/mod_ssl
| : ll
| total 21
| drwxr-xr-x   2 rse  wheel   512 Apr 16 10:40 CVS
| -rw-r--r--   1 rse  wheel   532 Jan 27 13:30 Makefile
| -rw-r--r--   1 rse  wheel  1023 Mar  4 10:26 README
| -rw-r--r--   1 rse  wheel  1194 Apr 13 13:21 TODO
| drwxr-xr-x   3 rse  wheel   512 Apr 14 11:35 admin
| drwxr-xr-x   8 rse  wheel   512 Apr 16 10:50 pkg.apache
| drwxr-xr-x   9 rse  wheel  1024 Apr 20 17:13 pkg.apache.dh
| drwxr-xr-x   8 rse  users  1024 Apr 16 10:40 pkg.apache.listen
   ^
| drwxr-xr-x   8 rse  wheel   512 Apr 16 10:46 pkg.apache.proxy
| drwxr-xr-x   8 rse  wheel   512 Apr 16 10:51 pkg.apache.reneg
| drwxr-xr-x   9 rse  wheel  1024 Apr 16 10:47 pkg.apache.shm
| drwxr-xr-x   3 rse  wheel  2560 Apr 16 10:48 pkg.apache.status
| drwxr-xr-x  11 rse  wheel  1024 Apr 22 16:46 pkg.mod_ssl
| drwxr-xr-x   2 rse  wheel  1024 Apr 12 17:28 pkg.myca
| -rwxr-xr-x   1 rse  wheel   101 Apr  2 22:53 pkg.sh
| drwxrwxr-x   6 rse  users   512 Jan 27 20:46 pkg.test
| -rwxr-xr-x   1 rse  wheel  1265 Mar 17 15:44 run.sh

But the missing problem is a correct comparison with the Listen ip:port stuff
which didn't worked correctly.  I've not investigated the last weeks because I
had to clue how to solve it. It's not dropped, but I need extra time to solve
the remaining problems.  Because as I said, your particular patch wasn't
general enough for mod_ssl or at least not exactly the way I want it finally.
But to make it better I need a few additional clues...

   Ralf S. Engelschall
   [EMAIL PROTECTED]
   www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl)  www.engelschall.com/sw/mod_ssl/
Official Support Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



RE: What happened to SSLOnlyOnPort?

1999-04-22 Thread David Harris


Ralf S. Engelschall wrote:
 But the missing problem is a correct comparison with the Listen ip:port
stuff
 which didn't worked correctly.  I've not investigated the last weeks
because I
 had to clue how to solve it. It's not dropped, but I need extra time to
solve
 the remaining problems.  Because as I said, your particular patch wasn't
 general enough for mod_ssl or at least not exactly the way I want it
finally.
 But to make it better I need a few additional clues...

Okay, glad to see that it's still on the radar. I remember we were talking
about some kinda harry matching functionality to determine if a request was
SSL or not which tied into the listen directive. And I agree, my patch was a
quick way of solving the problem for my one need - not general enough for a
product.

Basically, as long as you are still planning on some equivalent
functionality, I'm happy.

 - David Harris
   Principal Engineer, DRH Internet Services


__
Apache Interface to OpenSSL (mod_ssl)  www.engelschall.com/sw/mod_ssl/
Official Support Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]