Re: Get the actual socket of a request_rec

[Giovanni Donelli]

Hi! I totally understand your concerns regarding working directly with
the socket file descriptor.

However the module I am working on needs to cooperate with an extension in
the kernel and I would like to pass small data from the kernel to the module
by using the getsockopt API.

As soon as you have have the source code with you please post it here!

Thank you very much!
Giovanni


On Nov 29, 2007 10:32 AM, bronto [EMAIL PROTECTED] wrote:

 Hello,

 I don't have access o my source code right now, but the mentioned method
 is not one that I used (and mine worked).
 I guess, in a day or two I will be able to get to my source, and send it
 here.

 But to mention, are you sure you need the socket file descriptor? Since
 the api is done the way, that maybe 90% of modules actually don't need
 to know the socket(and use bucketsbrigades). There *are* situations
 though, but think about it twice.

 Regards,
 Stefan

 Giovanni Donelli  wrote / napísal(a):
  I needed to:
  #define CORE_PRIVATE
  Sorry about that.
 
  Anyway, this doesn't seem to be working. I'm logging the file
  descriptor of different request_rec and the result is always the same,
  (this can't be, right?).
 
  Any other way to get the actual socket of a request_rec ?
 
  Thanks!
 
 
  On Nov 22, 2007 4:10 PM, Giovanni Donelli [EMAIL PROTECTED]
 wrote:
 
  Thank you very much,
what is the core_module symbol referencing to? I can't compile
  it without binding that to something.
 
  Giovanni
 
 
 
 
  On Nov 22, 2007 4:05 PM, Tamas Palagyi [EMAIL PROTECTED] wrote:
 
  Try this:
 
  struct apr_socket_t_internal {
 
  apr_pool_t *pool;
  int socketdes;
  };
 
  int getfd(request_rec *r) {
 
conn_rec *c = r-connection;
apr_socket_t *s = ap_get_module_config(c-conn_config,core_module);
struct apr_socket_t_internal *i = (struct apr_socket_t_internal *)
 s;
 
return i-socketdes;
  }
 
  I have seen somewhere some other way to get fd tough...
 
  Tamas
 
 
 
 
  On Thu, 2007-11-22 at 15:44 +, Giovanni Donelli wrote:
 
  Dear fellow module developer,
 
   given a request_rec*r is there anyway to get to the actual
 socket
  file descriptor from which the request came in?
 
  I have been struggling all day trying to get this info out of a
  request_rec. Please help!
 
  Thank you!
  Giovanni
 

Nick's Book

[Brian McQueen]

I finally got a copy of the book.  Its very good.  I hope it inspires
more folks to use and rely on the excellent Apache technology.

Good job Nick:

http://www.amazon.com/Apache-Modules-Book-Application-Development/dp/0132409674

Brian McQueen

Segmentation fault:- Inbuilt Apache 2.0.58 on Solaris 10

[Renu Tiwari]

Hi,

I am getting segmentation fault when trying to start Inbuilt Apache 2.0.58 on 
Solaris 10(sparc).

Please suggest.

Thanks


 CAUTION - Disclaimer *
This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely 
for the use of the addressee(s). If you are not the intended recipient, please 
notify the sender by e-mail and delete the original message. Further, you are 
not to copy, disclose, or distribute this e-mail or its contents to any other 
person and any such actions are unlawful. This e-mail may contain viruses. 
Infosys has taken every reasonable precaution to minimize this risk, but is not 
liable for any damage you may sustain as a result of any virus in this e-mail. 
You should carry out your own virus checks before opening the e-mail or 
attachment. Infosys reserves the right to monitor and review the content of all 
messages sent to or from this e-mail address. Messages sent to or from this 
e-mail address may be stored on the Infosys e-mail system.
***INFOSYS End of Disclaimer INFOSYS***

Re: mod_include -A /path (Re: Expression Parser API?)

[Graham Leggett]

On Thu, November 29, 2007 3:21 am, Nick Kew wrote:

 OK, fairy nuff I understand the shell args derivation, and that's
 fine by me.  I'd prefer -A /foo/bar.txt  400, but I'm happy
 to accept your version.

Aaargh... something else I struggled with was to chose just how far to
take it. It would have been really easy to start with the idea add the
ability to test whether URLs are accessible, and then run with it, ending
up where ages later you have ultimately reengineered three quarters of
mod_include, and blown any chance of a backport to 2.2.

In sh syntax, the -X arg tests are typically boolean in nature, whereas
-A /foo/bar.txt  400 is really string in nature. This leads onto the
idea of supporting some kind of function syntax, such as status(/url),
but this overloads the brackets as to now meaning either the grouping
around conditional expressions (like now), or marking a parameter, and
suddenly you're re-engineering the entire parser.

 What I don't like about the patch is the evaluation inline within
 the parser.

The trouble is part of a bigger problem, where all the other evaluations
are done inline within the parser as well, but because they are small,
it passes unnoticed.

I saw the problem of adding the -A option, and the problem of refactoring
the parser to be generic as two separate problems, the second one being
more difficult to backport.

 I'm updating my working version to pass in an evaluation
 function for shell-stuff, but there's no way that's going to make 2.2.7.
 So in the meantime, I attach a patch that puts the evaluation and
 subrequest stuff into a separate function, in preparation for taking
 the parser from mod_include to core at a future date.  Patch attached.

 If you're happy with this minor reorganisation of your proposal,
 then you have my +1 on it.

When I have some real internet access, will definitely take a look and
sort it out.

Regards,
Graham
--

Re: mod_include -A /path (Re: Expression Parser API?)

[Nick Kew]

On Thu, 29 Nov 2007 12:31:52 +0200 (SAST)
Graham Leggett [EMAIL PROTECTED] wrote:

  If you're happy with this minor reorganisation of your proposal,
  then you have my +1 on it.

As you'll see, I've given it my +1 anyway now.  Rationale: if my
patch can go in now, then it can equally well happen later, and
it was still too half-baked to be the final word on the subject.

 When I have some real internet access, will definitely take a look and
 sort it out.

With a bit of luck we've now reached the point of singing from
the same hymnsheet :-)

-- 
Nick Kew

Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/

Re: apr_ bndm? was Re: Expression Parser API?

[Nick Kew]

On Thu, 29 Nov 2007 08:11:01 -0500
Akins, Brian [EMAIL PROTECTED] wrote:

 Needs to be against apr trunk and httpd trunk?
 
Oh, er, um ... porting over to APR?  That'd need to be raised on 
[EMAIL PROTECTED]  I read your original post as ap_bndm, meaning httpd core.

-- 
Nick Kew

Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/

[PATCH] axe ancient BIG_SECURITY_HOLE message

[Jeff Trawick]

If you should conceivably use that hack, you already know about it.
Logging spits out \t and \n literally anyway so message looks horrible.
Practically all users seeing this message just need to change User and
get on with life.

-- 
Born in Roswell... married an alien...
Index: os/unix/unixd.c
===
--- os/unix/unixd.c (revision 599438)
+++ os/unix/unixd.c (working copy)
@@ -169,17 +169,11 @@
 
 unixd_config.user_name = arg;
 unixd_config.user_id = ap_uname2id(arg);
-#if !defined (BIG_SECURITY_HOLE)  !defined (OS2)
+#if !defined (OS2)
 if (unixd_config.user_id == 0) {
-return Error:\tApache has not been designed to serve pages while\n
-\trunning as root.  There are known race conditions that\n
-\twill allow any local user to read any file on the system.\n
-\tIf you still desire to serve pages as root then\n
-\tadd -DBIG_SECURITY_HOLE to the CFLAGS env variable\n
-\tand then rebuild the server.\n
-\tIt is strongly suggested that you instead modify the User\n
-\tdirective in your httpd.conf file to list a non-root\n
-\tuser.\n;
+return Error: A root user id must not be used for request processing. 
 
+   Modify the User directive in your httpd.conf file to list a 
+   non-root user.;
 }
 #endif
 

Re: apr_ bndm? was Re: Expression Parser API?

[Akins, Brian]

On 11/28/07 8:27 PM, Nick Kew [EMAIL PROTECTED] wrote:


 I haven't looked at that specifically, but I think it likely there's
 a good case for it.  Are you volunteering to hack up a patch?

Sure. Why not.

Needs to be against apr trunk and httpd trunk?

-- 
Brian Akins
Chief Operations Engineer
Turner Digital Media Technologies

Re: apr_ bndm? was Re: Expression Parser API?

[Akins, Brian]

On 11/29/07 8:23 AM, Nick Kew [EMAIL PROTECTED] wrote:

 Oh, er, um ... porting over to APR?  That'd need to be raised on
 [EMAIL PROTECTED]  I read your original post as ap_bndm, meaning httpd core.

I can just do ap_bndm.  Just to keep it on this list...

Any particular place we are sticking util stuff in the tree?


-- 
Brian Akins
Chief Operations Engineer
Turner Digital Media Technologies

Re: [PATCH] axe ancient BIG_SECURITY_HOLE message

[Jeff Trawick]

On Nov 29, 2007 8:36 AM, Jeff Trawick [EMAIL PROTECTED] wrote:
 If you should conceivably use that hack, you already know about it.
 Logging spits out \t and \n literally anyway so message looks horrible.
 Practically all users seeing this message just need to change User and
 get on with life.

patch was broken ;)  this line must be left unchanged so that
BIG_SECURITY_HOLE still works for those few

-#if !defined (BIG_SECURITY_HOLE)  !defined (OS2)
+#if !defined (OS2)

Re: svn commit: r599385 - in /httpd/httpd/trunk: ./ modules/ssl/

[Ruediger Pluem]

On 11/29/2007 12:18 PM, [EMAIL PROTECTED] wrote:
 Author: jorton
 Date: Thu Nov 29 03:18:40 2007
 New Revision: 599385
 
 URL: http://svn.apache.org/viewvc?rev=599385view=rev
 Log:
 mod_ssl: Add support for OCSP validation of client certificates:
 
 * modules/ssl/ssl_engine_config.c (modssl_ctx_init,
   modssl_ctx_cfg_merge): Initialize and merge OCSP config options.
   (ssl_cmd_SSLOCSPOverrideResponder, ssl_cmd_SSLOCSPDefaultResponder,
   ssl_cmd_SSLOCSPEnable): Add functions.
 
 * modules/ssl/mod_ssl.c (ssl_config_cmds): Add config options.
 
 * modules/ssl/ssl_private.h: Add prototypes, config options to
   modssl_ctx_t.
 
 * modules/ssl/ssl_util_ocsp.c: New file, utility interface for
   dispatching OCSP requests.
 
 * modules/ssl/ssl_engine_ocsp.c: New file, interface for performing
   OCSP validation.
 
 * modules/ssl/ssl_engine_kernel.c (ssl_callback_SSLVerify): Perform
   OCSP validation if configured, and the cert is so-far verified to be
   trusted.  Fail if OCSP validation is configured an the optional-no-ca 
   check tripped.
 
 * modules/ssl/config.m4: Check for OCSP support, build new files.
 
 * modules/ssl/mod_ssl.dsp: Build new files.
 
 * modules/ssl/ssl_toolkit_compat.h: Include headers for OCSP
   interfaces.
 
 PR: 41123
 Submitted by: Marc Stern marc.stern approach.be, Joe Orton
 Reviewed by: Steve Henson steve openssl.org
 
 Added:
 httpd/httpd/trunk/modules/ssl/ssl_engine_ocsp.c   (with props)
 httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c   (with props)
 Modified:
 httpd/httpd/trunk/CHANGES
 httpd/httpd/trunk/modules/ssl/config.m4
 httpd/httpd/trunk/modules/ssl/mod_ssl.c
 httpd/httpd/trunk/modules/ssl/mod_ssl.dsp
 httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
 httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
 httpd/httpd/trunk/modules/ssl/ssl_private.h
 httpd/httpd/trunk/modules/ssl/ssl_toolkit_compat.h
 
 Modified: httpd/httpd/trunk/CHANGES
 URL: 
 http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=599385r1=599384r2=599385view=diff
 ==
 --- httpd/httpd/trunk/CHANGES [utf-8] (original)
 +++ httpd/httpd/trunk/CHANGES [utf-8] Thu Nov 29 03:18:40 2007
 @@ -2,6 +2,9 @@
  Changes with Apache 2.3.0
  [ When backported to 2.2.x, remove entry from this file ]
  
 +  *) mod_ssl: Add support for OCSP validation of client certificates.
 + PR 41123.  [Marc Stern marc.stern approach.be, Joe Orton]
 +

Shouldn't we add Steve to this? As far as I followed the discussion in Bugzilla
he contributed very valuable points and we have credited people for less in the 
past :-).



 Added: httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c
 URL: 
 http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c?rev=599385view=auto
 ==
 --- httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c (added)
 +++ httpd/httpd/trunk/modules/ssl/ssl_util_ocsp.c Thu Nov 29 03:18:40 2007
 @@ -0,0 +1,299 @@
 +/* Licensed to the Apache Software Foundation (ASF) under one or more
 + * contributor license agreements.  See the NOTICE file distributed with
 + * this work for additional information regarding copyright ownership.
 + * The ASF licenses this file to You under the Apache License, Version 2.0
 + * (the License); you may not use this file except in compliance with
 + * the License.  You may obtain a copy of the License at
 + *
 + * http://www.apache.org/licenses/LICENSE-2.0
 + *
 + * Unless required by applicable law or agreed to in writing, software
 + * distributed under the License is distributed on an AS IS BASIS,
 + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 + * See the License for the specific language governing permissions and
 + * limitations under the License.
 + */
 +
 +/* This file implements an OCSP client including a toy HTTP/1.0
 + * client.  Once httpd depends on a real HTTP client library, most of
 + * this can be thrown away. */
 +
 +#include ssl_private.h
 +
 +#ifdef HAVE_OCSP
 +
 +#include apr_buckets.h
 +#include apr_uri.h
 +
 +/* Serialize an OCSP request which will be sent to the responder at
 + * given URI to a memory BIO object, which is returned. */
 +static BIO *serialize_request(OCSP_REQUEST *req, const apr_uri_t *uri)
 +{
 +BIO *bio;
 +int len;
 +
 +len = i2d_OCSP_REQUEST(req, NULL);
 +
 +bio = BIO_new(BIO_s_mem());
 +
 +BIO_printf(bio, POST %s%s HTTP/1.0\r\n
 +   Host: %s:%d\r\n
 +   Content-Length: %d\r\n
 +   \r\n, 
 +   uri-path, uri-query ? uri-query : ,
 +   uri-hostname, uri-port, len);
 +
 +if (i2d_OCSP_REQUEST_bio(bio, req) != 1) {
 +BIO_free(bio);
 +return NULL;
 +}
 +
 +return bio;
 +}
 +
 +/* Send the OCSP request serialized into BIO 'request' to the
 + * responder at given server given by URI.  Returns socket object or
 + * 

mod_ssl OCSP questions

[Joe Orton]

Taking this discussion out of bugzilla.  As implemented currently the 
OCSP validation is working like this:

1) trusted store T initialized with root certs configured via SSLCA*
2) foreach cert in chain from (root...client certificate):
   a) verify cert is signed by trusted cert (or, is transitively so)
   b) if so, perform OCSP validation on cert as follows:
 i) pick a responder, exchange OCSP messages
 ii) verify signature of OCSP response against certs in trusted 
 store T

I'm not familiar with how OCSP is typically deployed; my questions are:

a) is it acceptable to assume that the same set of trusted certs is used 
to verify the signature of the OCSP response as is used to verify the 
client cert itself?  Or do these need to be separately configurable?

b) does it really make sense to be doing OCSP validation individually on 
each cert in the peer's cert chain?  Marc mentioned an issue with a 
compromised intermediary cert; but I want to be sure I understand this 
properly.  Can someone explain the exact threat model which checking the 
whole chain would be necessary for?

c) Steve mentioned some responders don't accept requests with nonces.  
What is a sane default?  Send nonces (more secure), or not (better 
interop).  From reading the RFC it looks like mod_ssl should also be 
checking the validity times from the OCSP response, which would help, I 
guess.

Regards,

joe

Re: svn commit: r599385 - in /httpd/httpd/trunk: ./ modules/ssl/

[Joe Orton]

On Thu, Nov 29, 2007 at 09:02:43PM +0100, Ruediger Pluem wrote:
  ==
  --- httpd/httpd/trunk/CHANGES [utf-8] (original)
  +++ httpd/httpd/trunk/CHANGES [utf-8] Thu Nov 29 03:18:40 2007
  @@ -2,6 +2,9 @@
   Changes with Apache 2.3.0
   [ When backported to 2.2.x, remove entry from this file ]
   
  +  *) mod_ssl: Add support for OCSP validation of client certificates.
  + PR 41123.  [Marc Stern marc.stern approach.be, Joe Orton]
  +
 
 Shouldn't we add Steve to this? As far as I followed the discussion in 
 Bugzilla he contributed very valuable points and we have credited 
 people for less in the past :-).

Discussing this stuff makes me slightly uncomfortable, but I try to 
follow a strict rule: credit in CHANGES exactly the set of people who 
contributed actual lines of code.  Steve was credited in the commit 
messages as a reviewer.  Such review is invaluable, no argument at all 
:)

...
  +/* Send the OCSP request serialized into BIO 'request' to the
  + * responder at given server given by URI.  Returns socket object or
  + * NULL on error. */
  +static apr_socket_t *send_request(BIO *request, const apr_uri_t *uri, 
  +  conn_rec *c, apr_pool_t *p)
  +{
  +apr_status_t rv;
  +apr_sockaddr_t *sa;
  +apr_socket_t *sd;
  +char buf[HUGE_STRING_LEN];
 
 Is it really a good idea to store this on the stack? Shouldn't we allocate
 this from the pool?

Hmmm, shrug - stack is cheaper than heap.

...
  +while ((len = BIO_read(request, buf, sizeof buf))  0) {
  +char *wbuf = buf;
  +apr_size_t remain = len;
  +
  +do {
  +apr_size_t wlen = remain;
  +
  +rv = apr_socket_send(sd, wbuf, wlen);
  +wbuf += remain;
  +remain -= wlen;
  +} while (rv == APR_SUCCESS  remain  0);
 
 Why do we need remain here and do not use len directly?

Really only to make the types match; len is an int but wlen must be an 
apr_size_t.

...
  +count = 0;
  +while ((line = get_line(tmpbb, bb, c, p)) != NULL  line[0]
  +++count  MAX_HEADERS) {
  +ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
  +  OCSP response header: %s, line);
  +}
 
 Why don't we exit with an error message if count  MAX_HEADERS?

Good catch, will fix.

...
  +apr_brigade_destroy(bb);
  +apr_brigade_destroy(tmpbb);
 
 We miss to destroy the brigades in the cases above where we return NULL.

They are allocated out of the pool, so it Shouldn't Matter (TM).

Thanks for the review!

joe

Re: mod_ssl OCSP questions

[Dr Stephen Henson]

Joe Orton wrote:
 Taking this discussion out of bugzilla.  As implemented currently the 
 OCSP validation is working like this:
 
 1) trusted store T initialized with root certs configured via SSLCA*
 2) foreach cert in chain from (root...client certificate):
a) verify cert is signed by trusted cert (or, is transitively so)
b) if so, perform OCSP validation on cert as follows:
  i) pick a responder, exchange OCSP messages
  ii) verify signature of OCSP response against certs in trusted 
  store T
 
 I'm not familiar with how OCSP is typically deployed; my questions are:
 
 a) is it acceptable to assume that the same set of trusted certs is used 
 to verify the signature of the OCSP response as is used to verify the 
 client cert itself?  Or do these need to be separately configurable?
 

There are several techniques used.

1. Sign responses using the key from the CA that issued the cert(s)
being checked.

This isn't often done because it would involve the responder having
access to a certificate signing key.

2. Sign responses using a special certificate signed by the CA that
issued the cert(s) being checked.

This is by far the most common. It avoids the problems of 1 and
responses can be verified without additional configuration.

3. Sign responses using a key which is trusted by some out of band means.

This covers cases where (for example) a locate OCSP responder is used to
sign responses for a site or a responder will handle multiple
unconnected CAs.

OpenSSL supports #1 and #2 directly so these should be automatic if the
OpenSSL OCSP API has been used correctly.

A limited form of #3 is implemented in OpenSSL. A generalised version
might be more appropriate in some circumstances but would need
additional configuration options to implement.

 b) does it really make sense to be doing OCSP validation individually on 
 each cert in the peer's cert chain?  Marc mentioned an issue with a 
 compromised intermediary cert; but I want to be sure I understand this 
 properly.  Can someone explain the exact threat model which checking the 
 whole chain would be necessary for?
 

If the CA key is compromised (e.g. used once maliciously) then it can be
used to issue an OCSP responder certificate under #2 above. That could
be used in a bogus responder.

Some security policies don't consider this likely enough to check the
whole chain and just check the EE cert which is much more likely to be
revoked.

I'd say making this configurable would be the best option.

 c) Steve mentioned some responders don't accept requests with nonces.  
 What is a sane default?  Send nonces (more secure), or not (better 
 interop).  From reading the RFC it looks like mod_ssl should also be 
 checking the validity times from the OCSP response, which would help, I 
 guess.
 

I'll check how we are using the API. There are some OCSP helper
functions in OpenSSL which check the appropriate times and allow a
configurable skew for cases where clocks are inaccurately set. How
much skew to allow in practice may again depend on local policy.

Steve.
-- 
Dr Stephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.co.uk/
Email: [EMAIL PROTECTED], PGP key: via homepage.

Re: svn commit: r599385 - in /httpd/httpd/trunk: ./ modules/ssl/

[Ruediger Pluem]

On 11/29/2007 10:03 PM, Joe Orton wrote:
 On Thu, Nov 29, 2007 at 09:02:43PM +0100, Ruediger Pluem wrote:
 ==
 --- httpd/httpd/trunk/CHANGES [utf-8] (original)
 +++ httpd/httpd/trunk/CHANGES [utf-8] Thu Nov 29 03:18:40 2007
 @@ -2,6 +2,9 @@
  Changes with Apache 2.3.0
  [ When backported to 2.2.x, remove entry from this file ]
  
 +  *) mod_ssl: Add support for OCSP validation of client certificates.
 + PR 41123.  [Marc Stern marc.stern approach.be, Joe Orton]
 +
 Shouldn't we add Steve to this? As far as I followed the discussion in 
 Bugzilla he contributed very valuable points and we have credited 
 people for less in the past :-).
 
 Discussing this stuff makes me slightly uncomfortable, but I try to 
 follow a strict rule: credit in CHANGES exactly the set of people who 
 contributed actual lines of code.  Steve was credited in the commit 
 messages as a reviewer.  Such review is invaluable, no argument at all 
 :)

This rule is fine with me. I guess everybody has its own ruleset here which
might be slightly different.
I guess Steve is famous enough such that he can live without a CHANGES entry
and only a commit message :).


 
 ...
 +/* Send the OCSP request serialized into BIO 'request' to the
 + * responder at given server given by URI.  Returns socket object or
 + * NULL on error. */
 +static apr_socket_t *send_request(BIO *request, const apr_uri_t *uri, 
 +  conn_rec *c, apr_pool_t *p)
 +{
 +apr_status_t rv;
 +apr_sockaddr_t *sa;
 +apr_socket_t *sd;
 +char buf[HUGE_STRING_LEN];
 Is it really a good idea to store this on the stack? Shouldn't we allocate
 this from the pool?
 
 Hmmm, shrug - stack is cheaper than heap.

Just thought of platforms with small default stack sizes.
So lets stick to it until someone reports problems.

 
 ...
 +while ((len = BIO_read(request, buf, sizeof buf))  0) {
 +char *wbuf = buf;
 +apr_size_t remain = len;
 +
 +do {
 +apr_size_t wlen = remain;
 +
 +rv = apr_socket_send(sd, wbuf, wlen);
 +wbuf += remain;
 +remain -= wlen;
 +} while (rv == APR_SUCCESS  remain  0);
 Why do we need remain here and do not use len directly?
 
 Really only to make the types match; len is an int but wlen must be an 
 apr_size_t.

Thanks for explaining.


 ...
 +apr_brigade_destroy(bb);
 +apr_brigade_destroy(tmpbb);
 We miss to destroy the brigades in the cases above where we return NULL.
 
 They are allocated out of the pool, so it Shouldn't Matter (TM).

Ok. They are taken from the newly created vpool. So it shouldn't really matter.

Regards

Rüdiger

Re: svn commit: r599385 - in /httpd/httpd/trunk: ./ modules/ssl/

[Dr Stephen Henson]

Ruediger Pluem wrote:
 
 On 11/29/2007 10:03 PM, Joe Orton wrote:
 On Thu, Nov 29, 2007 at 09:02:43PM +0100, Ruediger Pluem wrote:
 ==
 --- httpd/httpd/trunk/CHANGES [utf-8] (original)
 +++ httpd/httpd/trunk/CHANGES [utf-8] Thu Nov 29 03:18:40 2007
 @@ -2,6 +2,9 @@
  Changes with Apache 2.3.0
  [ When backported to 2.2.x, remove entry from this file ]
  
 +  *) mod_ssl: Add support for OCSP validation of client certificates.
 + PR 41123.  [Marc Stern marc.stern approach.be, Joe Orton]
 +
 Shouldn't we add Steve to this? As far as I followed the discussion in 
 Bugzilla he contributed very valuable points and we have credited 
 people for less in the past :-).
 Discussing this stuff makes me slightly uncomfortable, but I try to 
 follow a strict rule: credit in CHANGES exactly the set of people who 
 contributed actual lines of code.  Steve was credited in the commit 
 messages as a reviewer.  Such review is invaluable, no argument at all 
 :)
 
 This rule is fine with me. I guess everybody has its own ruleset here which
 might be slightly different.
 I guess Steve is famous enough such that he can live without a CHANGES entry
 and only a commit message :).
 
 

Can one be famous enough? ;-)

Don't mind at all either way to be honest. I haven't had the opportunity
to study mod_ssl much until now and I hope to do considerably more in
future to at least merit the occasional CHANGES credit.

Steve.
-- 
Dr Stephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.co.uk/
Email: [EMAIL PROTECTED], PGP key: via homepage.

randomized request for apache benchmark

[kaby]

For the primarily web application is no longer static.
Considering factors like cache, instruction prediction, I suppose randomized
request is need to avoid possible bias in benchmark.
So I wanna proposal a patch for this. Any suggestion?


-- 
This is kAbY, after University of Electronic Science and Technology of
China, where we intend to a creative work.

Re: randomized request for apache benchmark

[William A. Rowe, Jr.]

kaby wrote:

For the primarily web application is no longer static.
Considering factors like cache, instruction prediction, I suppose randomized
request is need to avoid possible bias in benchmark.
So I wanna proposal a patch for this. Any suggestion?


ab.c isn't the place for such work, and you are absolutely right
(modern architectures are incredibly good at doing stupidly repetitive
tasks efficiently, and this doesn't mirror the real world).

Would you take a look at

  http://svn.apache.org/repos/asf/httpd/test/trunk/flood/

which is already moving in the direction of flexibility you seek, and
is actively soliciting new ideas and patches?

Bill

how to append to strings...

[Sam Carleton]

I am rewriting part of my module to use expat, a parse I have used in
years gone by.  I know it, I sort of even like it and my XML is pretty
simple, except... I need to extract one text element.   I know that
even though the text I need is in one continues line in the XML, expat
can and at times will call my handler multiple times for that one
continues string.

The question is:  What is the correct way to append all the pieces of
XML that I am going to get from expat into one string?  I recall
reading somewhere that Apache has a really slick way of being able to
break up a string into pieces so that one can quickly inject something
in the middle without having to move any memory around.  What ever it
is called, I am thinking that is the right solution: build an array of
the strings and use this feature of apache to put them together.

Am I on the right track?  If so, can someone enlighten me as to what
exactly I should be looking up in my Writing Apache Modules with Perl
and C book?

Sam