Re: [request] public API to SSL_CTX from mod_ssl

2017-03-21 Thread zzz 
On 22 March 2017 at 10:26, William A Rowe Jr  wrote:

> On Tue, Mar 21, 2017 at 6:08 PM, zzz  wrote:
> > I am prototyping an Apache module that performs certain security
> compliance
> > checks, one aspect of which requires access to the SSL_CTX that mod_ssl
> > creates for an SSL enabled server.
> >
> > Access to that object is currently through the SSLSrvConfigRec->server
> and
> > modssl_ctx_t->ssl_ctx structures, which works well but I would like to
> avoid
> > directly accessing these private structures if possible.
> >
> > It would be nice if the public API of mod_ssl (perhaps exposed in
> > ssl_util_ssl.h) defined a function such as:
> >
> > /* please be a function not a macro! */
> > SSL_CTX *sslctx_from_server(server_rec *s)
> > {
> > SSLSrvConfigRec *sc = mySrvConfig(s);
> > if (sc && sc->enabled > 0) {
> > return sc->server->ssl_ctx;
> > }
> > return NULL;
> > }
> >
> > Of course if there is a better way to go about it glad to hear it!
>
> Because our design model allows us to substitute at-will the underlying
> providers, that is not likely to become public.
>
> Perhaps an accessor fn to return the ctx or not, but that would have to
> be scoped by the version of OpenSSL which mod_ssl is compiled against.
> It isn't enough to know that it is OpenSSL vs LibreSSL vs NSSAPI or
> whatever... you also have a revisioned ssl context structure.
>
> So diving into the private values is fine, if you know exactly what you
> are doing (e.g. you built the OpenSSL dependency too)... otherwise
> it's necessary for us to express a new API to get a reversioned ctx
> pointer with enough information to know what is at the end of that
> pointer.
>


That is a good point. I guess any function like this would be "user beware"
and expects any caller to know what to expect in the rv and what to do with
it. Although when you are targeting a stable platform like RHEL you can
make some fairly safe assumptions.

My main issue is just with the potential private structures to change
beneath me, leading to access violations if the offsets change.

Even a new *private* API in ssl_private.h that encapsulated the offsets
like the above function does would be great.

If not, I guess I will just have to be vigilant about upstream changes,
maybe by watching Fedora. I know there is a change in trunk that would
affect it, but it looks slated for 2.6/3 or whatever.

Re: [request] public API to SSL_CTX from mod_ssl

2017-03-21 Thread William A Rowe Jr 
On Tue, Mar 21, 2017 at 6:08 PM, zzz  wrote:
> I am prototyping an Apache module that performs certain security compliance
> checks, one aspect of which requires access to the SSL_CTX that mod_ssl
> creates for an SSL enabled server.
>
> Access to that object is currently through the SSLSrvConfigRec->server and
> modssl_ctx_t->ssl_ctx structures, which works well but I would like to avoid
> directly accessing these private structures if possible.
>
> It would be nice if the public API of mod_ssl (perhaps exposed in
> ssl_util_ssl.h) defined a function such as:
>
> /* please be a function not a macro! */
> SSL_CTX *sslctx_from_server(server_rec *s)
> {
> SSLSrvConfigRec *sc = mySrvConfig(s);
> if (sc && sc->enabled > 0) {
> return sc->server->ssl_ctx;
> }
> return NULL;
> }
>
> Of course if there is a better way to go about it glad to hear it!

Because our design model allows us to substitute at-will the underlying
providers, that is not likely to become public.

Perhaps an accessor fn to return the ctx or not, but that would have to
be scoped by the version of OpenSSL which mod_ssl is compiled against.
It isn't enough to know that it is OpenSSL vs LibreSSL vs NSSAPI or
whatever... you also have a revisioned ssl context structure.

So diving into the private values is fine, if you know exactly what you
are doing (e.g. you built the OpenSSL dependency too)... otherwise
it's necessary for us to express a new API to get a reversioned ctx
pointer with enough information to know what is at the end of that
pointer.

[request] public API to SSL_CTX from mod_ssl

2017-03-21 Thread zzz 
I am prototyping an Apache module that performs certain security compliance
checks, one aspect of which requires access to the SSL_CTX that mod_ssl
creates for an SSL enabled server.

Access to that object is currently through the SSLSrvConfigRec->server
and modssl_ctx_t->ssl_ctx structures, which works well but I would like to
avoid directly accessing these private structures if possible.

It would be nice if the public API of mod_ssl (perhaps exposed in
ssl_util_ssl.h) defined a function such as:

/* please be a function not a macro! */
SSL_CTX *sslctx_from_server(server_rec *s)
{
SSLSrvConfigRec *sc = mySrvConfig(s);

if (sc && sc->enabled > 0) {
return sc->server->ssl_ctx;
}
return NULL;
}

Of course if there is a better way to go about it glad to hear it!

Thanks.

Re: svn commit: r1787104 - /httpd/httpd/branches/2.4.x/STATUS

2017-03-21 Thread Jim Jagielski 
I am find w/ either adding both to docs and TAKE1 or
dropping the extra. Whatever we want/decide should be
done on trunk 1st and we can add that as an addition.
> On Mar 21, 2017, at 2:27 AM, Marion & Christophe JAILLET 
>  wrote:
> 
> Hi,
> 
> +static const char *cmd_servertype(cmd_parms *cmd, void *in_dconf,
> 
> +   const char *val)
> +{
> +[...]
> 
> +else if (!strcasecmp(val, "FPM") || !strcasecmp(val, "PHP-FPM")) {
> 
> Why?
> 
> PHP-FPM is not documented, neither in the doc, nor in AP_INIT_TAKE1.
> 
> 
> 
> In this function, ap_cstr_casecmp could alos be used for consistancy reason.
> 
> Just my 2 cents,
> CJ
> 
> 
> 
> Le 15/03/2017 à 23:30, cove...@apache.org a écrit :
>> Author: covener
>> Date: Wed Mar 15 22:30:23 2017
>> New Revision: 1787104
>> 
>> URL: http://svn.apache.org/viewvc?rev=1787104=rev
>> Log:
>> vote
>> 
>> 
>> Modified:
>> httpd/httpd/branches/2.4.x/STATUS
>> 
>> Modified: httpd/httpd/branches/2.4.x/STATUS
>> URL: 
>> http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1787104=1787103=1787104=diff
>> ==
>> --- httpd/httpd/branches/2.4.x/STATUS (original)
>> +++ httpd/httpd/branches/2.4.x/STATUS Wed Mar 15 22:30:23 2017
>> @@ -140,7 +140,7 @@ RELEASE SHOWSTOPPERS:
>>http://svn.apache.org/r1782482
>>http://svn.apache.org/r1782532
>>   2.4.x patch: 
>> http://home.apache.org/~jim/patches/mod_proxy_fcgi-v3.patch
>> - +1: jim
>> + +1: jim, covener
>>PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
>>[ start all new proposals below, under PATCHES PROPOSED. ]
>> 
>> 
>> 
>

Re: Help with task: Websocket documentation

2017-03-21 Thread Mike Rumph 

Sorry my link editor went crazy.
Here are the same links a bit simpler:

- http://httpd.apache.org/docs-project/
- http://httpd.apache.org/docs-project/#ml


On 3/21/2017 7:16 AM, Mike Rumph wrote:

Hello Mohit,

Help with the project is always welcome.
The Apache HTTP Server Documentation Project webpage is a good place 
to start.
- 
https://urldefense.proofpoint.com/v2/url?u=http-3A__httpd.apache.org_docs-2Dproject_=DwICaQ=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10=dosEQ8fk2hKexiUuVMoIxUhHLg2PZE9S-ksGD__rCUo=1GlnSrhYIsVBQfxm92CPkEhvQjWMBFugfzwL49SoH4s=g0DAtEpg_-w241LyTIBCvIKfSKmad9yWhHQy8p7FH-w= 



For help on how to contribute documentation, you will want to discuss 
on the docs mailing list:
- 
https://urldefense.proofpoint.com/v2/url?u=http-3A__httpd.apache.org_docs-2Dproject_-23ml=DwICaQ=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10=dosEQ8fk2hKexiUuVMoIxUhHLg2PZE9S-ksGD__rCUo=1GlnSrhYIsVBQfxm92CPkEhvQjWMBFugfzwL49SoH4s=54qk0St6t-scuW6oz7GgtMqvd9LFrmCe79mJrdJR0TI= 


Thanks,

Mike

On 3/19/2017 8:08 PM, Mohit Choudhary wrote:
I would like to help out with the task listed at 
https://urldefense.proofpoint.com/v2/url?u=https-3A__helpwanted.apa=DwICaQ=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10=dosEQ8fk2hKexiUuVMoIxUhHLg2PZE9S-ksGD__rCUo=1GlnSrhYIsVBQfxm92CPkEhvQjWMBFugfzwL49SoH4s=dWnWg0o6pAmsR19_yAeND46ONeu8h9JQobpqAxhGdQQ= 
che.org/task.html?35d9de95

Re: Help with task: Websocket documentation

2017-03-21 Thread Mike Rumph 

Hello Mohit,

Help with the project is always welcome.
The Apache HTTP Server Documentation Project webpage is a good place to 
start.

- http://httpd.apache.org/docs-project/
For help on how to contribute documentation, you will want to discuss on 
the docs mailing list:

- http://httpd.apache.org/docs-project/#ml

Thanks,

Mike

On 3/19/2017 8:08 PM, Mohit Choudhary wrote:

I would like to help out with the task listed at https://helpwanted.apa
che.org/task.html?35d9de95

Re: svn commit: r1787104 - /httpd/httpd/branches/2.4.x/STATUS

2017-03-21 Thread Marion & Christophe JAILLET 

Hi,

+static const char *cmd_servertype(cmd_parms *cmd, void *in_dconf,

+   const char *val)
+{
+[...]

+else if (!strcasecmp(val, "FPM") || !strcasecmp(val, "PHP-FPM")) {

Why?

PHP-FPM is not documented, neither in the doc, nor in AP_INIT_TAKE1.



In this function, ap_cstr_casecmp could alos be used for consistancy reason.

Just my 2 cents,
CJ



Le 15/03/2017 à 23:30, cove...@apache.org a écrit :

Author: covener
Date: Wed Mar 15 22:30:23 2017
New Revision: 1787104

URL: http://svn.apache.org/viewvc?rev=1787104=rev
Log:
vote


Modified:
 httpd/httpd/branches/2.4.x/STATUS

Modified: httpd/httpd/branches/2.4.x/STATUS
URL: 
http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1787104=1787103=1787104=diff
==
--- httpd/httpd/branches/2.4.x/STATUS (original)
+++ httpd/httpd/branches/2.4.x/STATUS Wed Mar 15 22:30:23 2017
@@ -140,7 +140,7 @@ RELEASE SHOWSTOPPERS:
http://svn.apache.org/r1782482
http://svn.apache.org/r1782532
   2.4.x patch: http://home.apache.org/~jim/patches/mod_proxy_fcgi-v3.patch
- +1: jim
+ +1: jim, covener
  
  PATCHES ACCEPTED TO BACKPORT FROM TRUNK:

[ start all new proposals below, under PATCHES PROPOSED. ]