Hi, * John K. Sterling ([EMAIL PROTECTED]) wrote: > > As justin said, this is something that has been randomly discussed from > time to time for many years now. MANY people see the need for this for > obvious reasons. > > As for the STATUS file entry, the concrete meaning (from a high level): > 1) create a pluggable session storage interface (ala perl's tied hash) > 2) expose it to apache modules > 3) implement some standard back-ends > 4) convert the ssl code to use it for session storage.
Yup, makes sense. I'm still wondering if the right way to do this is in openssl though, because it's a generic problem for SSL/TLS rather than anything specific to HTTPS (and in theory there is no reason why Apache shouldn't be able to share a session cache with other SSL/TLS software). > I have heard of some pluggable c session storage code out there, but to > add another external project dependency would be lame. perhaps it could > get added to apr-util... otherwise mod_ssl would have to compile it in locally. I don't know if this is/was distcache, but distcache is about half my interest in this subject (the other half being openssl). I'm waiting to finish the openssl configuration stuff in http-2.0 before trying to submit a patch for distcache support - so if modularising might affect this I could look at it at the same time and perhaps save myself some effort later on. I think however that the current caching interface is not a great base to be generalising from (which to be fair is essentially inherited from the same limiting interface in OpenSSL that hasn't been substantially touched since SSLeay days). Is anyone working on this already or ready to do so now? If so please make contact so we can avoid duplication of effort. If not, I'll start giving it some thought, although I'll probably ask that I be allowed to sort out and contribute my distcache hooks into the existing modules/ssl first. I need to clear a few things off my TODO list before embarking on investigations of this sort. One of the issues about modularising session caching is that it would make a lot of sense to allow caches to be "stacked". This already happens in some sense with openssl managing a per-process stack and apache's SSLSessionCache allowing an application cache to be plugged in on top. That limiting interface I spoke of already causes problems at this point, because there's no "has_session" type of hook that allows the inner cache to quickly check with the external cache in case a locally-cached session has been *cancelled* by the external cache. This created a vulnerability that was fixed in Apache-2 when I raised the subject on the modssl-users list, but as far as I know is still lurking unchanged in mod_ssl/apache-1.3. The fix of course has no choice but to shut off the internal cache completely and use the external cache directly. So this same interface is not going to lead to any clean way to layer caching mechanisms. (This is stuff I've been dealing with in distcache BTW, but that's another spiel for another day). Thanks for getting back to me about this. Cheers, Geoff -- Geoff Thorpe [EMAIL PROTECTED] http://www.geoffthorpe.net/
