Re: svn commit: r644751 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/mod_session_crypto.xml modules/session/config.m4 modules/session/mod_session_crypto.c

Sun, 06 Apr 2008 01:25:39 -0700 


On 04/06/2008 01:44 AM, Graham Leggett wrote:

Ruediger Pluem wrote:





+    /* default cipher AES256-SHA */
+    new->cipher = DEFAULT_CIPHER;
+    new->cipher_set = 1;



This seems wrong to me. By this the cipher is set to the default value 
every
you do NOT set it. Even if it was set differently in an enclosing 
container.



Yes, this is correct - the DEFAULT_CIPHER should only apply when you do 
NOT set it as you have said, because it is the default. If someone uses 
the SessionCryptoCipher directive, it will override this default.



The "_set" flag pattern solves some subtle config bugs in the server 
caused at merge time.



When a merge happens, an additional config is overlaid on top of the 
base config so far. If you use the simple premise that if the additional 
config is not null it should override the base config, and you have set 
a default, you'll find that the default finds its way into the 
additional config, which is then merged over the base config, 
effectively "undoing" the config underneath, replacing the base config 
with the default without the admin having explicitly asked for this.


This is what I fear here with the current state of code:

<Directory />
   SessionCryptoCipher somecipher
</Directory>

<Directory /blah>
   Somedirective
</Directory>

Should IMHO result in the usage of somecipher for requests below /blah.
With the current code this is IMHO not the case as the default value AES256-SHA
will be used for requests below /blah while somecipher is used for requests
below /blub.




In some places in the server, the addition of an unrelated directive 
within the same config structure can suddenly cause other directives to 
"disappear" and revert to the defaults, this is why.



+    new->digest_set = 1;
+
+    /* initialise SSL */
+    apr_ssl_init();


Do we need to call this over and over again each we create a dir_config?



We need to call this at least once, and doing this in the config means 
that it can be guaranteed to be done by the time the first request comes.


Doesn't it harm to call it over and over again (apart from performance)?




Unless there is something I missed (quite possible), there is not 
currently a hook that gets run when the config is complete. This would 
be very useful to initialise things once after all the config directives 
are parsed.


How about the post_config hook?

Regards

RĂ¼diger






















					Reply via email to