On Thu, 30 May 2002, William A. Rowe, Jr. wrote:
> is modules/ssl/README even valuable anymore?
yes. fine to remove the stale stuff, but not the whole damn thing. there
was a useful roadmap of the source in there and everything that was in the
TODO section is still valid:
o SSL renegotiations in combination with POST request
o Port all remaining code (code inside #if 0...#endif blocks)
o Do we need SSL_set_read_ahead()?
o the ssl_expr api is NOT THREAD SAFE. race conditions exist:
-in ssl_expr_comp() if SSLRequire is used in .htaccess
(ssl_expr_info is global)
-is ssl_expr_eval() if there is an error
(ssl_expr_error is global)
o SSLRequire directive (parsing of) leaks memory
o Diffie-Hellman-Parameters for temporary keys are hardcoded in
ssl_engine_dh.c, while the comment in ssl_engine_kernel.c says:
"it is suggested that keys be changed daily or every 500
transactions, and more often if possible."
o ssl_var_lookup could be rewritten to be MUCH faster
o CRL callback should be pluggable
o session cache store should be pluggable
o init functions should return status code rather than ssl_die()
o ssl_engine_pphrase.c needs to be reworked so it is generic enough
to also decrypt proxy keys
o the shmcb code should just align its memory segment rather than
jumping through all the "safe" memcpy and memset hoops
