Re: [request] public API to SSL_CTX from mod_ssl
On 22 March 2017 at 10:26, William A Rowe Jrwrote: > On Tue, Mar 21, 2017 at 6:08 PM, zzz wrote: > > I am prototyping an Apache module that performs certain security > compliance > > checks, one aspect of which requires access to the SSL_CTX that mod_ssl > > creates for an SSL enabled server. > > > > Access to that object is currently through the SSLSrvConfigRec->server > and > > modssl_ctx_t->ssl_ctx structures, which works well but I would like to > avoid > > directly accessing these private structures if possible. > > > > It would be nice if the public API of mod_ssl (perhaps exposed in > > ssl_util_ssl.h) defined a function such as: > > > > /* please be a function not a macro! */ > > SSL_CTX *sslctx_from_server(server_rec *s) > > { > > SSLSrvConfigRec *sc = mySrvConfig(s); > > if (sc && sc->enabled > 0) { > > return sc->server->ssl_ctx; > > } > > return NULL; > > } > > > > Of course if there is a better way to go about it glad to hear it! > > Because our design model allows us to substitute at-will the underlying > providers, that is not likely to become public. > > Perhaps an accessor fn to return the ctx or not, but that would have to > be scoped by the version of OpenSSL which mod_ssl is compiled against. > It isn't enough to know that it is OpenSSL vs LibreSSL vs NSSAPI or > whatever... you also have a revisioned ssl context structure. > > So diving into the private values is fine, if you know exactly what you > are doing (e.g. you built the OpenSSL dependency too)... otherwise > it's necessary for us to express a new API to get a reversioned ctx > pointer with enough information to know what is at the end of that > pointer. > That is a good point. I guess any function like this would be "user beware" and expects any caller to know what to expect in the rv and what to do with it. Although when you are targeting a stable platform like RHEL you can make some fairly safe assumptions. My main issue is just with the potential private structures to change beneath me, leading to access violations if the offsets change. Even a new *private* API in ssl_private.h that encapsulated the offsets like the above function does would be great. If not, I guess I will just have to be vigilant about upstream changes, maybe by watching Fedora. I know there is a change in trunk that would affect it, but it looks slated for 2.6/3 or whatever.
Re: [request] public API to SSL_CTX from mod_ssl
On Tue, Mar 21, 2017 at 6:08 PM, zzzwrote: > I am prototyping an Apache module that performs certain security compliance > checks, one aspect of which requires access to the SSL_CTX that mod_ssl > creates for an SSL enabled server. > > Access to that object is currently through the SSLSrvConfigRec->server and > modssl_ctx_t->ssl_ctx structures, which works well but I would like to avoid > directly accessing these private structures if possible. > > It would be nice if the public API of mod_ssl (perhaps exposed in > ssl_util_ssl.h) defined a function such as: > > /* please be a function not a macro! */ > SSL_CTX *sslctx_from_server(server_rec *s) > { > SSLSrvConfigRec *sc = mySrvConfig(s); > if (sc && sc->enabled > 0) { > return sc->server->ssl_ctx; > } > return NULL; > } > > Of course if there is a better way to go about it glad to hear it! Because our design model allows us to substitute at-will the underlying providers, that is not likely to become public. Perhaps an accessor fn to return the ctx or not, but that would have to be scoped by the version of OpenSSL which mod_ssl is compiled against. It isn't enough to know that it is OpenSSL vs LibreSSL vs NSSAPI or whatever... you also have a revisioned ssl context structure. So diving into the private values is fine, if you know exactly what you are doing (e.g. you built the OpenSSL dependency too)... otherwise it's necessary for us to express a new API to get a reversioned ctx pointer with enough information to know what is at the end of that pointer.
[request] public API to SSL_CTX from mod_ssl
I am prototyping an Apache module that performs certain security compliance checks, one aspect of which requires access to the SSL_CTX that mod_ssl creates for an SSL enabled server. Access to that object is currently through the SSLSrvConfigRec->server and modssl_ctx_t->ssl_ctx structures, which works well but I would like to avoid directly accessing these private structures if possible. It would be nice if the public API of mod_ssl (perhaps exposed in ssl_util_ssl.h) defined a function such as: /* please be a function not a macro! */ SSL_CTX *sslctx_from_server(server_rec *s) { SSLSrvConfigRec *sc = mySrvConfig(s); if (sc && sc->enabled > 0) { return sc->server->ssl_ctx; } return NULL; } Of course if there is a better way to go about it glad to hear it! Thanks.
Re: svn commit: r1787104 - /httpd/httpd/branches/2.4.x/STATUS
I am find w/ either adding both to docs and TAKE1 or dropping the extra. Whatever we want/decide should be done on trunk 1st and we can add that as an addition. > On Mar 21, 2017, at 2:27 AM, Marion & Christophe JAILLET >wrote: > > Hi, > > +static const char *cmd_servertype(cmd_parms *cmd, void *in_dconf, > > + const char *val) > +{ > +[...] > > +else if (!strcasecmp(val, "FPM") || !strcasecmp(val, "PHP-FPM")) { > > Why? > > PHP-FPM is not documented, neither in the doc, nor in AP_INIT_TAKE1. > > > > In this function, ap_cstr_casecmp could alos be used for consistancy reason. > > Just my 2 cents, > CJ > > > > Le 15/03/2017 à 23:30, cove...@apache.org a écrit : >> Author: covener >> Date: Wed Mar 15 22:30:23 2017 >> New Revision: 1787104 >> >> URL: http://svn.apache.org/viewvc?rev=1787104=rev >> Log: >> vote >> >> >> Modified: >> httpd/httpd/branches/2.4.x/STATUS >> >> Modified: httpd/httpd/branches/2.4.x/STATUS >> URL: >> http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1787104=1787103=1787104=diff >> == >> --- httpd/httpd/branches/2.4.x/STATUS (original) >> +++ httpd/httpd/branches/2.4.x/STATUS Wed Mar 15 22:30:23 2017 >> @@ -140,7 +140,7 @@ RELEASE SHOWSTOPPERS: >>http://svn.apache.org/r1782482 >>http://svn.apache.org/r1782532 >> 2.4.x patch: >> http://home.apache.org/~jim/patches/mod_proxy_fcgi-v3.patch >> - +1: jim >> + +1: jim, covener >>PATCHES ACCEPTED TO BACKPORT FROM TRUNK: >>[ start all new proposals below, under PATCHES PROPOSED. ] >> >> >> >
Re: Help with task: Websocket documentation
Sorry my link editor went crazy. Here are the same links a bit simpler: - http://httpd.apache.org/docs-project/ - http://httpd.apache.org/docs-project/#ml On 3/21/2017 7:16 AM, Mike Rumph wrote: Hello Mohit, Help with the project is always welcome. The Apache HTTP Server Documentation Project webpage is a good place to start. - https://urldefense.proofpoint.com/v2/url?u=http-3A__httpd.apache.org_docs-2Dproject_=DwICaQ=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10=dosEQ8fk2hKexiUuVMoIxUhHLg2PZE9S-ksGD__rCUo=1GlnSrhYIsVBQfxm92CPkEhvQjWMBFugfzwL49SoH4s=g0DAtEpg_-w241LyTIBCvIKfSKmad9yWhHQy8p7FH-w= For help on how to contribute documentation, you will want to discuss on the docs mailing list: - https://urldefense.proofpoint.com/v2/url?u=http-3A__httpd.apache.org_docs-2Dproject_-23ml=DwICaQ=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10=dosEQ8fk2hKexiUuVMoIxUhHLg2PZE9S-ksGD__rCUo=1GlnSrhYIsVBQfxm92CPkEhvQjWMBFugfzwL49SoH4s=54qk0St6t-scuW6oz7GgtMqvd9LFrmCe79mJrdJR0TI= Thanks, Mike On 3/19/2017 8:08 PM, Mohit Choudhary wrote: I would like to help out with the task listed at https://urldefense.proofpoint.com/v2/url?u=https-3A__helpwanted.apa=DwICaQ=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10=dosEQ8fk2hKexiUuVMoIxUhHLg2PZE9S-ksGD__rCUo=1GlnSrhYIsVBQfxm92CPkEhvQjWMBFugfzwL49SoH4s=dWnWg0o6pAmsR19_yAeND46ONeu8h9JQobpqAxhGdQQ= che.org/task.html?35d9de95
Re: Help with task: Websocket documentation
Hello Mohit, Help with the project is always welcome. The Apache HTTP Server Documentation Project webpage is a good place to start. - http://httpd.apache.org/docs-project/ For help on how to contribute documentation, you will want to discuss on the docs mailing list: - http://httpd.apache.org/docs-project/#ml Thanks, Mike On 3/19/2017 8:08 PM, Mohit Choudhary wrote: I would like to help out with the task listed at https://helpwanted.apa che.org/task.html?35d9de95
Re: svn commit: r1787104 - /httpd/httpd/branches/2.4.x/STATUS
Hi, +static const char *cmd_servertype(cmd_parms *cmd, void *in_dconf, + const char *val) +{ +[...] +else if (!strcasecmp(val, "FPM") || !strcasecmp(val, "PHP-FPM")) { Why? PHP-FPM is not documented, neither in the doc, nor in AP_INIT_TAKE1. In this function, ap_cstr_casecmp could alos be used for consistancy reason. Just my 2 cents, CJ Le 15/03/2017 à 23:30, cove...@apache.org a écrit : Author: covener Date: Wed Mar 15 22:30:23 2017 New Revision: 1787104 URL: http://svn.apache.org/viewvc?rev=1787104=rev Log: vote Modified: httpd/httpd/branches/2.4.x/STATUS Modified: httpd/httpd/branches/2.4.x/STATUS URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1787104=1787103=1787104=diff == --- httpd/httpd/branches/2.4.x/STATUS (original) +++ httpd/httpd/branches/2.4.x/STATUS Wed Mar 15 22:30:23 2017 @@ -140,7 +140,7 @@ RELEASE SHOWSTOPPERS: http://svn.apache.org/r1782482 http://svn.apache.org/r1782532 2.4.x patch: http://home.apache.org/~jim/patches/mod_proxy_fcgi-v3.patch - +1: jim + +1: jim, covener PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ]