Dave Neuer wrote:
>
> Has anyone out there tried using mod_ssl with RSA's BSAFE SSL-C? Anyone
> know how different the API is to SSLeay/OpenSSL?
I have built mod_ssl with SSL-C and it's pretty easy. SSL-C is a partly
rewritten SSLeay and it maintains compatibility with the APIs, though
some are undocumented.
My approach was to treat SSL-C just as if it were SSLeay. Copy the
missing SSLeay header files to your SSL-C include dir and hack
libssl.module to use the name sslc as an alternative to ssleay and
openssl. This was fine for mod_ssl-2.1.6 but got a little more
complicated with 2.2.8 due to improvements to OpenSSL - bear in mind
that the APIs may diverge in the future and you might find that every
mod_ssl upgrade needs a little bit more work.
In the end we have decided to use Raven for our web server (RSA weren't
very amenable to our commercial terms) and Certicom's SSL Plus for other
stuff. You may find the patch below interesting although I can take no
responsibility for it (either personally or on behalf of Critical Path).
Take care, g-
Gary Carroll, Critical Path Inc.
Patches for mod_ssl-2.2.8 - FYI only...
diff -Naur pkg.sslmod/libssl.module pkg.sslmod-sslc/libssl.module
--- pkg.sslmod/libssl.module Tue Mar 23 10:23:02 1999
+++ pkg.sslmod-sslc/libssl.module Thu Apr 15 21:00:15 1999
@@ -275,7 +275,7 @@
#
SSL_BINDIR=""
if [ ".$SSL_BASE" = .SYSTEM ]; then
- for name in openssl ssleay; do
+ for name in openssl ssleay sslc; do
for p in . `echo $PATH | sed -e 's/:/ /g'`; do
if [ -f "$p/$name" ]; then
SSL_PROGRAM="$p/$name"
@@ -292,7 +292,7 @@
exit 1
fi
else
- for name in openssl ssleay; do
+ for name in openssl ssleay sslc; do
if [ -f "$SSL_BASE/bin/$name" ]; then
SSL_PROGRAM="$SSL_BASE/bin/$name"
SSL_BINDIR='$(SSL_BASE)/bin'
@@ -345,11 +345,17 @@
#
if [ ".$SSL_BASE" = .SYSTEM ]; then
SSL_LIBDIR=""
- for p in . /lib /usr/lib /usr/local/lib; do
- if [ -f "$p/libssl.a" -o -f "$p/libssl.so" ]; then
- SSL_LIBDIR="$p"
- my_real_ssl_libdir="$p"
- break
+ for name in ssl sslc; do
+ for p in . /lib /usr/lib /usr/local/lib; do
+ if [ -f "$p/lib$name.a" -o -f "$p/lib$name.so" ]; then
+ SSL_LIBDIR="$p"
+ SSL_LIBNAME="$name"
+ my_real_ssl_libdir="$p"
+ break
+ fi
+ done
+ if [ ".$SSL_LIBDIR" != . ]; then
+ break;
fi
done
if [ ".$SSL_LIBDIR" = . ]; then
@@ -358,21 +364,37 @@
exit 1
fi
else
- if [ -f "$SSL_BASE/lib/libssl.a" ]; then
- SSL_LIBDIR='$(SSL_BASE)/lib'
- my_real_ssl_libdir="$SSL_BASE/lib"
- else
- if [ -f "$SSL_BASE/libssl.a" ]; then
- SSL_LIBDIR='$(SSL_BASE)'
- my_real_ssl_libdir="$SSL_BASE"
+ SSL_LIBDIR=""
+ for name in ssl sslc; do
+ if [ -f "$SSL_BASE/lib/lib$name.a" ]; then
+ SSL_LIBDIR='$(SSL_BASE)/lib'
+ SSL_LIBNAME="$name"
+ my_real_ssl_libdir="$SSL_BASE/lib"
+ break
else
- echo "Error: Cannot find SSL library files under
$SSL_BASE" 1>&2
- exit 1
+ if [ -f "$SSL_BASE/lib$name.a" ]; then
+ SSL_LIBDIR='$(SSL_BASE)'
+ SSL_LIBNAME="$name"
+ my_real_ssl_libdir="$SSL_BASE"
+ break
+ fi
fi
+ done
+ if [ ".$SSL_LIBDIR" = . ]; then
+ echo "Error: Cannot find SSL library files under $SSL_BASE"
1>&2
+ exit 1
fi
fi
SSL_LDFLAGS="$SSL_LDFLAGS -L\$(SSL_LIBDIR)"
- SSL_LIBS="$SSL_LIBS -lssl -lcrypto"
+
+ #
+ # define SSL link libraries
+ #
+ if [ ".$SSL_LIBNAME" = .sslc ]; then
+ SSL_LIBS="$SSL_LIBS -lsslc"
+ else
+ SSL_LIBS="$SSL_LIBS -lssl -lcrypto"
+ fi
#
# SSL installation type
@@ -401,6 +423,9 @@
*0.9.[01]* )
echo "$my_prefixe WARNING: THE SSLeay/OpenSSL VERSIONS
BELOW 0.9.2b HAVE A SERIOUS SECURITY HOLE."
echo "$my_prefixe Hint: Use OpenSSL version 0.9.2b or
higher!"
+ ;;
+ SSL-C* )
+ echo "$my_prefixe NOTE: Building with the RSA SSL-C
library."
;;
esac
diff -Naur pkg.sslmod/ssl_engine_ext.c pkg.sslmod-sslc/ssl_engine_ext.c
--- pkg.sslmod/ssl_engine_ext.c Fri Apr 2 20:04:30 1999
+++ pkg.sslmod-sslc/ssl_engine_ext.c Thu Apr 15 21:00:15 1999
@@ -303,7 +303,7 @@
ssl_ctx = SSL_CTX_new(SSLv23_client_method());
ssl = SSL_new(ssl_ctx);
SSL_clear(ssl);
-#if SSL_LIBRARY_VERSION >= 0x0922
+#if SSL_LIBRARY_VERSION >= 0x0922 && defined(OPENSSL_VERSION_NUMBER)
SSL_set_session_id_context(ssl, cpVHostID, strlen(cpVHostID));
#endif
SSL_set_fd(ssl, fb->fd);
diff -Naur pkg.sslmod/ssl_engine_kernel.c
pkg.sslmod-sslc/ssl_engine_kernel.c
--- pkg.sslmod/ssl_engine_kernel.c Fri Apr 2 20:02:02 1999
+++ pkg.sslmod-sslc/ssl_engine_kernel.c Thu Apr 15 21:00:15 1999
@@ -176,7 +176,7 @@
*/
ssl = SSL_new(sc->pSSLCtx);
SSL_clear(ssl);
-#if SSL_LIBRARY_VERSION >= 0x0922
+#if SSL_LIBRARY_VERSION >= 0x0922 && defined(OPENSSL_VERSION_NUMBER)
SSL_set_session_id_context(ssl, cpVHostID, strlen(cpVHostID));
#endif
SSL_set_app_data(ssl, conn); /* conn_rec (available now) */
@@ -187,7 +187,7 @@
/*
* Configure callbacks for SSL connection
*/
-#if SSL_LIBRARY_VERSION >= 0x0920
+#if SSL_LIBRARY_VERSION >= 0x0920 && defined(OPENSSL_VERSION_NUMBER)
SSL_set_tmp_rsa_callback(ssl, ssl_callback_TmpRSA);
#endif
if (sc->nLogLevel >= SSL_LOG_DEBUG) {
@@ -793,7 +793,18 @@
if ( (dc->nVerifyClient == SSL_CVERIFY_OPTIONAL)
|| (dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA) )
nVerify |= SSL_VERIFY_PEER;
+
+ /*
+ * This is an example of the divergence between OpenSSL and RSA's
SSL-C
+ * As a temporary solution I'll just check for OpenSSL's verion
number
+ * in the future I will attempt to provide patches to OpenSSL to
maintain
+ * compatibility between the two sets of APIs. Gary Carroll
4/12/1999
+ */
+#ifdef OPENSSL_VERSION_NUMBER
SSL_set_verify(ssl, nVerify, ssl_callback_SSLVerify);
+#else
+ SSL_CTX_set_verify(ctx, nVerify, ssl_callback_SSLVerify);
+#endif
SSL_set_verify_result(ssl, X509_V_OK);
/* determine whether the verify mode was actually changed */
if (nVerify != nVerifyOld)
diff -Naur pkg.sslmod/ssl_engine_vars.c
pkg.sslmod-sslc/ssl_engine_vars.c
--- pkg.sslmod/ssl_engine_vars.c Sun Mar 21 15:14:15 1999
+++ pkg.sslmod-sslc/ssl_engine_vars.c Thu Apr 15 21:00:15 1999
@@ -540,7 +540,7 @@
int nUseKeySize;
int nAlgKeySize;
} ssl_var_lookup_ssl_cipher_bits_rec[] = {
-#if SSL_LIBRARY_VERSION >= 0x0920
+#if SSL_LIBRARY_VERSION >= 0x0920 && defined(OPENSSL_VERSION_NUMBER)
{ TLS1_TXT_RSA_EXPORT56_WITH_RC4_56_MD5 /*EXP56-RC4-MD5*/,
56, 128 },
{ TLS1_TXT_RSA_EXPORT56_WITH_RC2_CBC_56_MD5
/*EXP56-RC2-CBC-MD5*/,56, 128 },
{ TLS1_TXT_RSA_EXPORT56_WITH_DES_CBC_SHA
/*EXP56-DES-CBC-SHA*/,56, 56 },
diff -Naur pkg.sslmod/ssl_util_ssl.h pkg.sslmod-sslc/ssl_util_ssl.h
--- pkg.sslmod/ssl_util_ssl.h Thu Mar 18 10:31:58 1999
+++ pkg.sslmod-sslc/ssl_util_ssl.h Thu Apr 15 21:00:16 1999
@@ -70,8 +70,13 @@
#define SSL_LIBRARY_NAME "OpenSSL"
#else
#ifdef SSLEAY_VERSION_NUMBER
+#if SSLEAY_VERSION_NUMBER >= 0x1000
+#define SSL_LIBRARY_VERSION SSLEAY_VERSION_NUMBER
+#define SSL_LIBRARY_NAME "SSL-C"
+#else
#define SSL_LIBRARY_VERSION SSLEAY_VERSION_NUMBER
#define SSL_LIBRARY_NAME "SSLeay"
+#endif
#else
#define SSL_LIBRARY_VERSION 0x0000
#define SSL_LIBRARY_NAME "OtherSSL"
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
