On Wed, Apr 25, 2001 at 10:03:38AM -0700, Greg Stein wrote:
> >...
> > I agree that mod_tls isn't an advanced module, but it is a way to remove
> > some of the politics from the SSL modules in Apache.
>
> Bingo. We've got two camps that disagree at a basic level. Fine, they can
> continue with their rock throwing, and the core Apache will do its own
> thing independently. The SSL situation will then just disappear since Apache
> will simply come with a solution.
I disagree completely. Neither is the Apache Group going to get to
a point where the "political" disagreement becomes any better,
nor will "Apache simply come with a solution" within the next years.
- the mod_ssl author is not going to add any functionality to mod_tls,
because he says it is an almost 1:1 copy of a OpenSSL example, which
is nothing but the OpenSSL version of "Hello World".
Instead, he will remain in the unlucky situation where he is forced
to maintain mod_ssl for apache-2.x separately.
- The mod_tls author alone will never get it to a point where it is fit
for professional use. That is certainly my biased opinion, because I
use mod_ssl.
- Current users of mod_ssl will demand professional quality because most of
them, ehhm, *ARE* using it in professional environment. They will
therefore not consider mod_tls. (I for one am maintaining the mod_ssl
enhanced version of Apache for BS2000. I did consider different solutions,
but they were ususable, in comparison to mod_ssl).
- If both were going to collaborate on the mod_tls-to-be, the situation
would be different. But it was "politically unwise" not to ask the
mod_ssl author before the mod_tls author added mod_tls to apache-2.0.
Now the situation is even worse than when both authors had their
own patches, because one author has his solution *in* the server
source tree, and the other author doesn't.
- The remaining Apache Group members either never used SSL in the
first place, or are selling mod_ssl today as a commercial product.
The former are quite happy to see the R&D version grow from 12kB to
a professional solution (which will take years if experienced SSL
developers work on it, and with "experienced" I do not only mean
"experienced programmers", but also those who have experience with
making a product _fit_for_market_ like adding good documentation,
making it easily configurable, robust, flexible, and the like).
The latter are quite satisfied that they have mod_ssl (under a different
name) in their drawers, because it means they have an advantage over
the competition (which still plays with the mod_tls toy).
Face it: mod_ssl IS the profesional solution, and that is the reason
why other (already professional) SSL solutions for Apache-1.3 were
ditched and replaced by mod_ssl (and not by Apache-SSL).
mod_tls looks like the right approach, technically, but why not "add
mod_tls to mod_ssl", which gives us (and the world) a world-class SSL
server based on the World-class HTTP server? That could be a basis where
collaboration would make sense, and other mod_ssl/Apache-SSL users
could help us iron out any 2.x related things.
But starting from scratch is IMHO not the way to get mod_tls up and
running within the next 2 years.
Just my $.02, of course.
Martin
--
<[EMAIL PROTECTED]> | Fujitsu Siemens
<[EMAIL PROTECTED]> | 81730 Munich, Germany
