Hi, Pl. find my comments below : >-----Original Message----- >From: Justin Erenkrantz
[..snip..] >/* XXX THIS STUFF NEEDS A MAJOR CLEANUP -RSE XXX */ >So, I'm obviously not the first one to think this and that >was before the input filters change forced this issue. =) [..snip..] True.. it's known that the ssl filtering is to be stabilized. That's the reason the comment still exists in the file - else it would have gone long time ago :-). [..snip..] >Anyway, I see that the input and output filters are handled >by one function - churn. Is that dictated by the mechanics >of OpenSSL? Can we separate input and output entirely or >do we need to have them coexist like they are now? [..snip..] You're right.. the bulk of the SSL communication logic is done in churn().. The logic basically reads the user data from the filter, gives it to OpenSSL thru' the BIO routines, and whatever is output by openssl is picked up thru' the BIO interfaces and put on to the output queue.. I'm not clear what you mean by "separate input and output".. [..snip..] >I also don't think OpenSSL will like the idea of renegotiating via buckets. =) [..snip..] I don't think so..As long as we can gather the *full client data* and pass it across, OpenSSL is happy.. The catch here is to capture all the data that's sent by the client, and not to break it into small chunks/pieces. [..snip..] >So, I think we have to teach mod_ssl's input filter to standalone >without the help of the core. That means (I think) that we could >use the SSL_* (i.e. SSL_read) functions when reading from the >socket rather than ap_get_brigade/BIO_*. Can we intermix calls to >BIO_* and SSL_*? Are they separate? When do we want to use BIO_* >and not SSL_*? [..snip..] It's definitely possible to use the SSL_* functions - but, then we'll have to expose the socketfd's et al.. Also, it'd be deviating from the other modules of apache, where the filters are *almost* forced to be used. I'd prefer to have the ap_get_brigade_* functionality to read/write the data from the socket. [..snip..] >There is just a lot of stuff here. And, I think Ralf nailed it >on the head. =) [..snip..] <shameless plug>I picked up the SSL filtering logic from tls, and modified it to work for mod-ssl </shameless plug>.. OtherBill, Doug, Cliff added some real valuable stuff to the filter code. -Madhu
