Re: R: cert status lookup with OCSP

Thu, 20 May 1999 22:29:20 -0700 

On Thu, May 20, 1999, Andrea e Luca Giacobazzi wrote:

> >o  The whole fperr stuff is not needed (and acceptable). mod_ssl provides a
> >really sophisticated logging mechanism through ssl_log() which the user
> can
> >   configure and adjust. You should use this, please.  Additionally you use
> >   insecure things ``fperr = fopen(..'' without error checks.  And the use
> of
> >   a static fperr isn't a good idea, too.  mod_ssl uses no global variables
> >   for thread safety and other reasons.
> 
> You're right, that was just for my internal debug use, but I forget to
> change it.  Will be correct use a bio_err for error log ? (I'm still studing
> to understand how to use a bio structure in the right way).

No, a bio_err is just stderr encapsulated via OpenSSL's BIO library.  You
should use ssl_log() to write directly to the user customizeable SSL engine
logfile.
 
> >o  whenever you do I/O you should use the ap_fopen() and friends
> >   functions and not directly stdio stuff. Additionally unsafe
> >   things like sprintf() has to be replaced with ap_snprintf().
> >
> >o  hard-coded things like ``fopen("/m/home/giacob/...'' or ``ldapservers =
> >   "callisto.comune.modena.it:3389"'' are not acceptable.  Every used
> >   parameter either has to be a generic one which fits all situations or
> has
> >   to be user configurable via an Apache config directive.
> 
> How can I set some env vars via Apache config directive to describe all
> ocsp-ldap context in httpd.conf ? (ldap-servers, ldap-dn, ldap-passwd,
> ocsp-ldap-enable...)

Not env-vars, you have to implement a few Apache directives similar to what
mod_ssl does with the various SSLXXXX directives. For instance for you I would
use an "SSLOCSP" or "SSLLDAP" directive which parses "key=value" pairs at it's
arguments and sets the variables inside an internal structure which you later
use under run-time. For instance something like 

SSLLDAP server=callisto.comune.modena.it port=3389 dn=foobar passwd=test

                                       Ralf S. Engelschall
                                       [EMAIL PROTECTED]
                                       www.engelschall.com
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to