William A. Rowe, Jr. wrote:
Nick Kew wrote:
[...]
Is OpenSSL not thread-safe?
An SSL_CTX can't be cross-threaded. If the scope of use of that CTX is
restricted to one thread at a time, then yes, OpenSSL has been threadsafe
for a very very long time.
You mean if I were able to create one
-Ursprüngliche Nachricht-
Von: Jeff Trawick
Gesendet: Mittwoch, 6. Dezember 2006 04:17
An: dev@httpd.apache.org
Betreff: Re: vote on concept of ServerTokens Off
On 12/5/06, Ruediger Pluem [EMAIL PROTECTED] wrote:
What is the latest patch that should be applied?
I'm
Frank wrote:
Nick Kew wrote:
[...]
My chapter 4 discusses thread-safety and external libraries.
But I know nothing about OpenSSL, and I suspect you might be
seeing a problem where none exists.
When the library opens I will take a look at it, but I suspect that your
book will not help me in
[ http://issues.apache.org/jira/browse/MODPYTHON-143?page=all ]
Graham Dumpleton resolved MODPYTHON-143.
Resolution: Fixed
Basic documentation added for apache.import_module() and all outstanding code
changes complete, so finally time to mark
There were no more comments on basic apache.import_module()
documentation so I have tweaked a few last things, committed it
and marked as resolved the final issue in JIRA tagged for 3.3.
Thus, unless anyone else has got any last minute issues, we should
be good to go with a 3.3 release now.
Hi All,
CFLAGS=-g3 -fno-strict-aliasing -O0 -DAP_UNSAFE_ERROR_LOG_UNESCAPED
./configure \
--prefix=$S/httpd/2.2.3/prefork \
--with-apr=$S/apr/1.2.7/bin/apr-1-config \
--with-apr-util=$S/apr-util/1.2.7-5.1.12-beta/bin/apu-1-config \
--with-mpm=prefork \
--enable-debug \
According to Jeff:
A lot of opinions were offered back in August. Some were negative but
I don't see anything that looks like a veto.
I voted -1 at that time which is a veto.
My opinion hasn't changed and I still think that it is a very
stupid idea to add a feature that allows our users to
On Wed, Dec 06, 2006 at 02:15:50AM -0800, Philip M. Gollucci wrote:
CFLAGS=-g3 -fno-strict-aliasing -O0 -DAP_UNSAFE_ERROR_LOG_UNESCAPED
./configure \
--prefix=$S/httpd/2.2.3/prefork \
--with-apr=$S/apr/1.2.7/bin/apr-1-config \
On Wed, 6 Dec 2006 13:30:26 +0100
Lars Eilebrecht [EMAIL PROTECTED] wrote:
According to Jeff:
A lot of opinions were offered back in August. Some were negative
but I don't see anything that looks like a veto.
I voted -1 at that time which is a veto.
My opinion hasn't changed and I
Lars Eilebrecht wrote:
According to Jeff:
A lot of opinions were offered back in August. Some were negative but
I don't see anything that looks like a veto.
I voted -1 at that time which is a veto.
My opinion hasn't changed and I still think that it is a very
stupid idea to add a
On Wed, Dec 06, 2006 at 01:30:26PM +0100, Lars Eilebrecht wrote:
According to Jeff:
A lot of opinions were offered back in August. Some were negative but
I don't see anything that looks like a veto.
I voted -1 at that time which is a veto.
My opinion hasn't changed and I still think
Joe Orton wrote:
On Wed, Dec 06, 2006 at 02:15:50AM -0800, Philip M. Gollucci wrote:
CFLAGS=-g3 -fno-strict-aliasing -O0 -DAP_UNSAFE_ERROR_LOG_UNESCAPED
./configure \
--prefix=$S/httpd/2.2.3/prefork \
--with-apr=$S/apr/1.2.7/bin/apr-1-config \
Joe Orton wrote:
On Wed, Dec 06, 2006 at 01:30:26PM +0100, Lars Eilebrecht wrote:
According to Jeff:
A lot of opinions were offered back in August. Some were negative but
I don't see anything that looks like a veto.
I voted -1 at that time which is a veto.
My opinion
On Tue, 05 Dec 2006 17:06:16 -0800
Chris Darroch [EMAIL PROTECTED] wrote:
Hi --
The short version of this email is, please, can people review
this patch for server/request.c and see if it breaks anything?
There are versions for trunk and 2.2.x. Thanks in advance!
-Ursprüngliche Nachricht-
Von: Nick Kew
Gesendet: Mittwoch, 6. Dezember 2006 14:34
An: dev@httpd.apache.org
In this instance, we need to work through how this relates to
relevant updates leading to the CHANGES file entry:
core: Do not allow internal redirects like the
Graham Dumpleton wrote:
There were no more comments on basic apache.import_module()
documentation so I have tweaked a few last things, committed it
and marked as resolved the final issue in JIRA tagged for 3.3.
Thus, unless anyone else has got any last minute issues, we should
be good to go
Frank wrote:
William A. Rowe, Jr. wrote:
Nick Kew wrote:
[...]
An SSL_CTX can't be cross-threaded. If the scope of use of that CTX is
restricted to one thread at a time, then yes, OpenSSL has been threadsafe
for a very very long time.
You mean if I were able to create one SSL_CTX for every
On Wed, 6 Dec 2006 14:41:39 +0100
Plüm, Rüdiger, VF EITO [EMAIL PROTECTED] wrote:
In this instance, we need to work through how this relates to
relevant updates leading to the CHANGES file entry:
core: Do not allow internal redirects like the DirectoryIndex
of mod_dir to
On Wed, Dec 06, 2006 at 01:30:26PM +0100, Lars Eilebrecht wrote:
I voted -1 at that time which is a veto.
My opinion hasn't changed and I still think that it is a very
stupid idea to add a feature that allows our users to do
something which is stupid and absurd.
I agree.
vh
Mads Toftum
On 12/6/06, Jim Jagielski [EMAIL PROTECTED] wrote:
Joe Orton wrote:
On Wed, Dec 06, 2006 at 01:30:26PM +0100, Lars Eilebrecht wrote:
According to Jeff:
A lot of opinions were offered back in August. Some were negative
but
I don't see anything that looks like a veto.
I voted -1
On Wed, 06 Dec 2006 09:42:04 +0100
Frank [EMAIL PROTECTED] wrote:
William A. Rowe, Jr. wrote:
Nick Kew wrote:
[...]
Is OpenSSL not thread-safe?
An SSL_CTX can't be cross-threaded. If the scope of use of that
CTX is restricted to one thread at a time, then yes, OpenSSL has
been
On Wed, 06 Dec 2006 10:22:22 +0100
Frank [EMAIL PROTECTED] wrote:
Your book will be available in March/April 2007, but I prefer to find
a solution somewhat earlier. :-)
Someone's being very cautious with dates there. I've just finished
proofreading, and am under instructions that any changes
Jorge Schrauwen wrote:
On 12/6/06, Jim Jagielski [EMAIL PROTECTED] wrote:
Joe Orton wrote:
The motivation given by the submitter was that he pays per byte served,
it seems entirely reasonable to allow the Server header to be disabled
for such users.
Can he install
On 12/6/06, Joe Orton [EMAIL PROTECTED] wrote:
The motivation given by the submitter was that he pays per byte served,
it seems entirely reasonable to allow the Server header to be disabled
for such users.
And he has the code. If it's that important, he can change the code.
(Wanna bet he
On 12/6/06, Jim Jagielski [EMAIL PROTECTED] wrote:
Jorge Schrauwen wrote:
On 12/6/06, Jim Jagielski [EMAIL PROTECTED] wrote:
Joe Orton wrote:
The motivation given by the submitter was that he pays per byte served,
it seems entirely reasonable to allow the Server header to be
On 12/6/06, Chris Darroch [EMAIL PROTECTED] wrote:
Hi --
The short version of this email is, please, can people review
this patch for server/request.c and see if it breaks anything?
There are versions for trunk and 2.2.x. Thanks in advance!
On 12/6/06, Jeff Trawick [EMAIL PROTECTED] wrote:
We're up to two great answers to disable some output from the server
that isn't required by the HTTP protocol anyway:
1) modify the source
2) install third-party module
So, uh, why do we need to make it even easier for them? -- justin
-Ursprüngliche Nachricht-
Von: Nick Kew
Gesendet: Mittwoch, 6. Dezember 2006 15:06
An: dev@httpd.apache.org
Betreff: Re: Creating a thread safe module and the problem of
calling of 'CRYPTO_set_locking_callback' twice!
OpenSSL is just one of thousands of libraries a module
On 12/6/06, Lars Eilebrecht [EMAIL PROTECTED] wrote:
According to Jeff:
A lot of opinions were offered back in August. Some were negative but
I don't see anything that looks like a veto.
I voted -1 at that time which is a veto.
oops, I didn't read all your messages
Jeff Trawick wrote:
We're up to two great answers to disable some output from the server
that isn't required by the HTTP protocol anyway:
1) modify the source
2) install third-party module
Well, as you recall, I voted +1 on the patch. My concern is
that others have concerns (and there
On 12/6/06, Justin Erenkrantz [EMAIL PROTECTED] wrote:
On 12/6/06, Jeff Trawick [EMAIL PROTECTED] wrote:
We're up to two great answers to disable some output from the server
that isn't required by the HTTP protocol anyway:
1) modify the source
2) install third-party module
So, uh, why do
According to Mads:
On Wed, Dec 06, 2006 at 01:30:26PM +0100, Lars Eilebrecht wrote:
I voted -1 at that time which is a veto.
My opinion hasn't changed and I still think that it is a very
stupid idea to add a feature that allows our users to do
something which is stupid and absurd.
On Wed, Dec 06, 2006 at 03:45:54PM +0100, Lars Eilebrecht wrote:
So, is that a -1 or -0?
A peanut gallery -1. I feel very strongly about pretending to implement
security measures that does not help one bit.
vh
Mads Toftum
--
http://soulfood.dk
On 12/6/06, Jeff Trawick [EMAIL PROTECTED] wrote:
We're up to two great answers to disable some output from the server
that isn't required by the HTTP protocol anyway:
1) modify the source
2) install third-party module
My support for the idea has nothing to do with improving the operation
of
Nick Kew wrote:
Unless OpenSSL nomenclature is rather confusing here, an SSL_CTX
sounds like the kind of thing you would instantiate per-connection
or per-request. Does your module act on a request or a connection?
Maybe a bit of background reading and examination of reference
-Ursprüngliche Nachricht-
Von: Mads Toftum
Gesendet: Mittwoch, 6. Dezember 2006 15:50
An: dev@httpd.apache.org
Betreff: Re: vote on concept of ServerTokens Off
On Wed, Dec 06, 2006 at 03:45:54PM +0100, Lars Eilebrecht wrote:
So, is that a -1 or -0?
A peanut gallery -1. I
On 12/5/06, Jeff Trawick [EMAIL PROTECTED] wrote:
A lot of opinions were offered back in August. Some were negative but
I don't see anything that looks like a veto.
Why do I care personally? I'd like to see an easy resolution to the
common support question which doesn't involve recompiling
Jeff Trawick wrote:
I know... that's why I asked :)
We're up to two great answers to disable some output from the server
that isn't required by the HTTP protocol anyway:
1) modify the source
2) install third-party module
ROFL. Please add to the list:
3) Start a new apache-httpd fork.
Darryl Miles wrote:
Nick Kew wrote:
Unless OpenSSL nomenclature is rather confusing here, an SSL_CTX
sounds like the kind of thing you would instantiate per-connection
or per-request. Does your module act on a request or a connection?
Maybe a bit of background reading and examination of
Joshua Slive wrote:
On 12/6/06, Jeff Trawick [EMAIL PROTECTED] wrote:
We're up to two great answers to disable some output from the server
that isn't required by the HTTP protocol anyway:
1) modify the source
2) install third-party module
My support for the idea has nothing to do with
On 12/6/06, Frank [EMAIL PROTECTED] wrote:
My question is: How does this interfere with my module? How can I ensure
that only one of us (mod_ssl or my module) is calling these both
functions? I cannot believe that there is no problem when my module
You just can't. I wish there was a better
Justin Erenkrantz wrote:
On 12/6/06, Frank [EMAIL PROTECTED] wrote:
My question is: How does this interfere with my module? How can I ensure
that only one of us (mod_ssl or my module) is calling these both
functions? I cannot believe that there is no problem when my module
You just can't.
On Wed, Dec 06, 2006 at 09:15:15AM -0800, Paul Querna wrote:
Justin Erenkrantz wrote:
On 12/6/06, Frank [EMAIL PROTECTED] wrote:
My question is: How does this interfere with my module? How can I ensure
that only one of us (mod_ssl or my module) is calling these both
functions? I cannot
On Tue, 05 Dec 2006 17:06:16 -0800
Chris Darroch [EMAIL PROTECTED] wrote:
What surprised me was discovering that each sub-request (or,
equally, internal redirect) went through the authnz steps despite
the fact that I just had a single blanket authnz configuration for
the entire directory
Frank wrote:
EVP_CIPHER_CTX ctx;
EVP_CIPHER_CTX_init ( ctx);
EVP_EncryptInit ( ctx, EVP_bf_cbc (), key, iv);
EVP_EncryptUpdate ( ctx, outbuf, olen, inbuff, n);
EVP_EncryptFinal ( ctx, outbuf + olen, tlen);
Because 'EVP_CIPHER_CTX_init' is 'slow', I want to call it once! (Yes! I
can call it
Joe Orton wrote:
What I do with OpenSSL in neon is to check that the existing callback is
NULL before registering a new callback; and likewise to check that the
ID callback is the one neon previously registered before un-registering
it later. If everybody did that it would be relatively safe.
On Wed, Dec 06, 2006 at 06:20:55PM +, Darryl Miles wrote:
Joe Orton wrote:
What I do with OpenSSL in neon is to check that the existing callback is
NULL before registering a new callback; and likewise to check that the
ID callback is the one neon previously registered before
On Wed, Dec 06, 2006 at 01:43:49PM -0500, Jeff Trawick wrote:
* The Apache HTTP Server project believes that most people who want to
avoid sending the Server header mistakenly think that doing so may
protect their server from attacks based on known flaws in older Apache
HTTPD releases, when in
Darryl Miles wrote:
Frank wrote:
William A. Rowe, Jr. wrote:
Nick Kew wrote:
[...]
An SSL_CTX can't be cross-threaded. If the scope of use of that CTX is
restricted to one thread at a time, then yes, OpenSSL has been
threadsafe
for a very very long time.
You mean if I were able to
On 12/6/06, Nick Kew [EMAIL PROTECTED] wrote:
A corresponding authz hook will implement a Require inherit
to enable subrequests with inherited set to be authorized,
and will run ahead of normal authz hooks.
Would that be a good solution here?
I think you mean that if they have 'require
Jim Jagielski wrote:
*shrug* but as everyone seems to think that this is a good idea,
feel free to ignore my veto.
A Veto is a Veto. If you feel strongly enough about it, then
it cannot be, and should not be, ignored.
/agree - I cast a -0 because I don't like it, don't think we should
do
Protocol issues really should be brought up on the dev list, with an
appropriate subject, and not left in bugzilla.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39727
Entities gzip:ed by mod_deflate still carries the same ETag as the
plain entiy,
causing inconsistency in ETag aware
Hi --
Thanks for taking an initial look at these patches; I reviewed
them a bit more as well and did some testing this morning which
resulted in a pair of small changes. One of those changes is important;
it catches the condition where the current walk finds additional
matches beyond those
Roy T. Fielding wrote:
Protocol issues really should be brought up on the dev list, with an
appropriate subject, and not left in bugzilla.
FWIW, there was a dev list thread on this 3 years ago with the subject
mod_deflate and transfer / content encoding problem.
On 12/7/06, Roy T. Fielding [EMAIL PROTECTED] wrote:
Entities gzip:ed by mod_deflate still carries the same ETag as the
plain entiy,
causing inconsistency in ETag aware proxy caches.
I'll have a look later and see if I can fix it, but let me know if there
is already a patch in the works (that
On 12/7/06, Justin Erenkrantz [EMAIL PROTECTED] wrote:
mod_deflate should just add the W/ prefix if it's not already there. -- justin
But, that'll break caches as we're not allowed to serve If-Match with
weak entity tags. Feh.
-1 on adding semantic junk to the existing ETag (and keeping it
APACHE 2.0 STATUS: -*-text-*-
Last modified at [$Date: 2006-11-20 17:39:22 -0500 (Mon, 20 Nov 2006) $]
The current version of this file can be found at:
* http://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x/STATUS
Documentation status is
APACHE 2.3 STATUS: -*-text-*-
Last modified at [$Date: 2006-08-22 16:41:03 -0400 (Tue, 22 Aug 2006) $]
The current version of this file can be found at:
* http://svn.apache.org/repos/asf/httpd/httpd/trunk/STATUS
Documentation status is maintained
Joe Orton wrote:
On Wed, Dec 06, 2006 at 06:20:55PM +, Darryl Miles wrote:
[...]
Is there an API to get the current value ?
Yes, CRYPTO_get_locking_callback/CRYPTO_get_id_callback.
[...]
I already know that this functions exists. But what if my module gets
inited before mod_ssl, which
59 matches
Mail list logo