Re: Problems when compiling as DSO module (and workaround)
Replying to myself (again)... I think that the problem is with apxs, it only gets the CFLAGS configured at Apache's compile time. And they are not right for every module that one will want to add to Apache. Take for example ndbm.h which is needed by mod_ssl. When compiling mod_ssl statically into Apache, there's no problem since Apache takes care of finding where it is located. But when we're building mod_ssl with apxs, if Apache's configure has not figured out where ndbm.h is, compilation will fail. [...] This is wrong since not enabling a module that requires DBM doesn't mean that I'll never want to add one that does in the future. I don't see any trivial solution to this problem. The easier one, IMHO, is to do every check when mod_so is enabled. Adding this to src/modules/standard/mod_so.c (in Apache tarball) does the trick: /* The section for the Configure script: * MODULE-DEFINITION-START * Name: so_module * ConfigStart . ./helpers/find-dbm-lib * ConfigEnd * MODULE-DEFINITION-END */ I didn't find any other helper/check to add, but a more experienced Apache developer may find more. Best, GFK's -- Guillaume Filion Logidac Tech., Beaumont, Québec, Canada - http://logidac.com/ PGP Key and more: http://guillaume.filion.org/ (this will redirect) PGP Fingerprint: 14A6 720A F7BA 6C87 2331 33FD 467E 9198 3DED D5CA __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems when compiling as DSO module (and workaround)
Hi all, I tried to figure out what caused these two problems, here's what I found. I think that the problem is with apxs, it only gets the CFLAGS configured at Apache's compile time. And they are not right for every module that one will want to add to Apache. Take for example ndbm.h which is needed by mod_ssl. When compiling mod_ssl statically into Apache, there's no problem since Apache takes care of finding where it is located. But when we're building mod_ssl with apxs, if Apache's configure has not figured out where ndbm.h is, compilation will fail. Here's an example: $ tar zxf apache_1.3.26.tar.gz $ cd apache_1.3.26 $ ./configure --enable-module=so $ make $ make install $ /usr/local/apache/bin/apxs -q CFLAGS -DLINUX=22 -DUSE_HSREGEX -DUSE_EXPAT -I../lib/expat-lite apxs does not provide the location of ndbm.h since configure didn't needed it. $ cd .. $ rm -rf apache_1.3.26 $ tar zxf apache_1.3.26.tar.gz $ cd apache_1.3.26 If, for example, I enable mod_rewrite which requires DBM support, apxs will know where to look for DBM. $ ./configure --enable-module=so --enable-module=rewrite [...] + adding selected modules o rewrite_module uses ConfigStart/End + using -ldb1 for DBM support enabling DBM support for mod_rewrite [...] $ make $ make install $ /usr/local/apache/bin/apxs -q CFLAGS -DLINUX=22 -I/usr/include/db1 -DUSE_HSREGEX -DUSE_EXPAT -I../lib/expat-lite This is wrong since not enabling a module that requires DBM doesn't mean that I'll never want to add one that does in the future. I don't see any trivial solution to this problem. The easier one, IMHO, is to do every check when mod_so is enabled. It's a similar problem for the DBM library, src/Makefile stores it into: LIBS1= -lm -lcrypt -ldb1 -ldl [...] LIBS=$(EXTRA_LIBS) $(LIBS1) but this is not exported to apxs. I'm not sure if it should. Am I making some sense here? What do people think about this? Should I file a bug report to Apache about this? I searched bugs.apache.org about this but I couldn't find a single bug about apxs... I think I need a drink! 8) GFK's -- Guillaume Filion Logidac Tech., Beaumont, Québec, Canada - http://logidac.com/ PGP Key and more: http://guillaume.filion.org/ (this will redirect) PGP Fingerprint: 14A6 720A F7BA 6C87 2331 33FD 467E 9198 3DED D5CA __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Mod_SSL for Windows 2000/NT/XP
At 00:50 -0400 16/07/02, Cliff Woolley wrote: On Tue, 16 Jul 2002, Brendan Lloyd wrote: And last but not least: can anyone clarify what the state of Apache 2.0 is with regards to OpenSSL/mod_ssl? I've read in some places that Apache 2.0 supports/includes these, but then when I went to download the Windows binary distribution it had the suffix no_ssl? Source distributions of Apache 2.0 include mod_ssl. Binary distributions are a different story, but only because of ambiguities surrounding the (IMHO silly) export restrictions of the US government. We know we're allowed to export *source* for strong encryption software... but whether we're able to legally distribute *binaries* of strong encryption software is unclear. So we don't. Of course, that's more of a burden on our Windows users than on our Unix users, since the former tend to rely on binaries and the latter tend to roll their own since they tend to have the compilation tools on hand. The solution, as has been pointed out, is that somebody outside the US contributed binaries for mod_ssl for Apache 2.0 on Win32 and uploaded them to www.modssl.org/contrib, which is physically located in Germany, as opposed to www.apache.org, which is physically located in the western US. Sigh. Those interested in details on this legal stuff can see this site: http://www.bxa.doc.gov/Encryption/ What is nice with this policy update is that source code is now considered unrestricted (like Cliff said): - Also for the first time, all encryption source code that would be considered publicly available under Section 734.3(b)(3) of the EAR (such as source code posted to the Internet) and the corresponding object code may be exported and reexported under License Exception TSU -- Technology and Software Unrestricted (specifically, Section 740.13(e) of the EAR), once notification (or a copy of the source code) is provided to BIS and the ENC Encryption Request Coordinator. See Note. Even if a license fee or royalty is charged for commercial production or sale of products developed using the source code, such source code is eligible for license exception TSU and no post-export reporting is required. - The complete content of the Export Administration Regulation (EAR) is available at: http://w3.access.gpo.gov/bis/ear/ear_data.html Disclamer: reading the content of the EAR may cause an headache. 8) It looks like binaries made from publically available source code are still considered unrestricted. They explicitly say [publically available source code] and the corresponding object code may be exported and reexported under License Exception TSU. But the License Exception TSU states: - (2) Provisions and Destinations. (i) Provisions. Operation software may be exported or reexported provided that both of the following conditions are met: (A) The operation software is the minimum necessary to operate equipment authorized for export or reexport; and (B) The operation software is in object code. - mod_ssl is not the minimum necessary to operate equipment since it's an add-on module; Apache can work without mod_ssl. And part B totally confused me, it says that ONLY object code can be exported... I guess Apache's official policy is let's not take chance. That sucks... Couldn't they hire a legal advisor that could sort this out? Or easier, can't we just give a call to the BXA and ask them Do object code made from publically available source-code still falls under the License Exception TSU?, that would clear up the question... We could ask them for a signed letter, and if we get problems in the future, we could just show the letter and say that we did our homework. Ok, putting everything on modssl.org/contrib is MUCH MUCH easier. GFK's -- Guillaume Filion Logidac Tech., Beaumont, Québec, Canada - http://logidac.com/ PGP Key and more: http://guillaume.filion.org/ (this will redirect) PGP Fingerprint: 14A6 720A F7BA 6C87 2331 33FD 467E 9198 3DED D5CA __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Mod_SSL for Windows 2000/NT/XP
At 16:42 +1000 15/07/02, Brendan Lloyd wrote: I am a new member to this group. I have a question which was asked on 2002-06-07 by Ike Ikonne (for which I could not locate any answer in the list archives) so please forgive me for the repetition... My situation is like Ike's: I too need to install mod_ssl and Open_SSL (ie. require secure web transaction capabilities), with questions as follows: * How can I build OpenSSL and mod_ssl on NT or 2000 (ie. do I have to buy compiler software)? Yes you can, but you'll need to buy MS Visual C++ to compile Apache. Instructions are available at: http://httpd.apache.org/docs/windows.html http://www.modssl.org/source/exp/mod_ssl/pkg.mod_ssl/INSTALL.Win32 I guess you'll prefer to use the precompiled version avaiable below. * Alternatively, is there a sitfrom which I can download precompiled versions of (or an installation Wizard for) the above? I guess this is what you're looking for: http://www.modssl.org/contrib/Apache_1.3.26-Mod_SSL_2.8.10-OpenSSL_0.9.6d-Win32.zip Hope this helps, GFK's -- Guillaume Filion Logidac Tech., Beaumont, Québec, Canada - http://logidac.com/ PGP Key and more: http://guillaume.filion.org/ (this will redirect) PGP Fingerprint: 14A6 720A F7BA 6C87 2331 33FD 467E 9198 3DED D5CA __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Problems when compiling as DSO module (and workaround)
Hi all, I'm trying to compile mod_ssl-2.8.10-1.3.26 as a DSO (APXS) module on my Debian box, but I got two problems: First, when doing make, I got: mod_ssl.h:349:18: ndbm.h: No such file or directory This is the same problem as described at http://www.mail-archive.com/modssl-users@modssl.org/msg13487.html On my system ndbm.h is located in /usr/include/db1/, so I added -I/usr/include/db1/ in pkg.sslmod/Makefile. It did compile and install well, but when I tried to start Apache, I got this: ali:/www# bin/apachectl start Syntax error on line 208 of /usr/local/apache/conf/httpd.conf: Cannot load /usr/local/apache/libexec/libssl.so into server: /usr/local/apache/libexec/libssl.so: undefined symbol: dbm_firstkey bin/apachectl start: httpd could not be started This is the same problem as described at http://www.mail-archive.com/modssl-users@modssl.org/msg13505.html Devon Bleak found a workaround to the problem in: http://www.mail-archive.com/modssl-users@modssl.org/msg10438.html So, in short, here's what I did to make it work: apt-get install libgdbmg1 libgdbmg1-dev ./configure --with-apxs=/www/bin/apxs Make these substitutions in pkg.sslmod/Makefile : 6c6 CFLAGS=-I$(INCDIR) -DLINUX=22 -DUSE_HSREGEX -DEAPI -DUSE_EXPAT -I../lib/expat-lite --- CFLAGS=-I$(INCDIR) -DLINUX=22 -DUSE_HSREGEX -DEAPI -DUSE_EXPAT -I../lib/expat-lite -I/usr/include/db1 11c11 LIBS_SHLIB= --- LIBS_SHLIB= -lgdbm make make install Modify my Apache configuration to add this line plus the other mod_ssl stuff: LoadModule ssl_module libexec/libssl.so When I build mod_ssl statically into Apache these problems do not not occur. These problems seem to have been present for a long time (Devon Bleak's workaround dates from February) and do not seem to be really hard to solve, just a bit a configure bork bork and it would find the right headers and libs. This really would make my life easier. 8) Also, when I make install, apxs doesn't seem to modify my configuration file like it does with other apxs modules, is this a wanted behavior? ali:/home/gfk/making-webserver/mod_ssl-2.8.10-1.3.26# make install make[1]: Entering directory `/home/gfk/making-webserver/mod_ssl-2.8.10-1.3.26/pkg.sslmod' make[1]: Nothing to be done for `all'. make[1]: Leaving directory `/home/gfk/making-webserver/mod_ssl-2.8.10-1.3.26/pkg.sslmod' cp libssl.so /usr/local/apache/libexec/libssl.so chmod 755 /usr/local/apache/libexec/libssl.so ali:/home/gfk/making-webserver/mod_ssl-2.8.10-1.3.26# Also, mod_ssl is a *great* tool, but I guess you allready know that! 8) Regards, GFK's -- Guillaume Filion Logidac Tech., Beaumont, Québec, Canada - http://logidac.com/ PGP Key and more: http://guillaume.filion.org/ (this will redirect) PGP Fingerprint: 14A6 720A F7BA 6C87 2331 33FD 467E 9198 3DED D5CA __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]