Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 28 Apr 1999 21:52:03 +0200 (CEST)
From:      Dominik Brettnacher <domi@saargate.de>
To:        "kmartin@infoteam.com" <kmartin@infoteam.com>
Cc:        freebsd-ports@freebsd.org
Subject:   Re: difference in apache13-modssl and apache13-ssl
Message-ID:  <Pine.BSF.4.10.9904282149320.6935-100000@dominik.saargate.de>
In-Reply-To: <fc.3b9aca009a3683443b9aca004483369a.128209@saargate.de>

next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 28 Apr 1999, kmartin@infoteam.com wrote:

> I see a number of differences under their respective /usr/ports/www
> directories, but it isn't clear why you would use one over the other.

The differences are explained on
http://www.engelschall.com/sw/mod_ssl/docs/2.2/ssl_faq.html:

What are the differences between mod_ssl and Apache-SSL, from where it is
derived?=A0=A0 [L]
This cannot be answered in short, because there are too much changes (see
the CHANGES and CHANGES.20 files in the mod_ssl distribution for detailed
information). Most of them are internal changes, cleanups and
re-organizations of the source code. But the user visible changes are
mainly the following:
mod_ssl provides a complete documentation (this User Manual) where all
configuration directives, environment variables, and other things are
documented while Apache-SSL had no such documentation although it existed
for over three years when mod_ssl was split from it (in April 1998).
Additionally mod_ssl provides answers to often occuring frequently asked
questions (this list) in the Apache/SSL/OpenSSL area. For instance mod_ssl
gives detailed hints about how to setup a CA, how to create real a server
Certificate, etc. And the mod_ssl User Manual provides a compact
introduction to the complex SSL area itself. Because here are the typical
hurdles located every user stumbles over. mod_ssl comes with clean and
documented source code with the intent that only this way the user is able
to re-view it for backdoors, security holes, etc. This is considered
important for security-related software. It was always incomprehensible to
the author of mod_ssl how Apache-SSL could exist for over three years
while both the source code and the source patches were provided in an
undocumented and partly unreadable format. For the mod_ssl package the
source codes follows the Apache coding style, is logically ordered to
follow the API phases and even the patches to the Apache source tree are
annotated with descriptions to give the user a chance to re-view and
understand them. mod_ssl uses a generic Extended API to achieve its
functionality. This means instead of patching in SSL/crypto-related code
into the Apache kernel a clean and well separated Extended API is patched
in. This way the SSL and cryptography code is only present inside the SSL
module itself (i.e. inside the src/modules/ssl/ subtree only). The benefit
from this is a clean separation and API-conforming SSL solution (which
means for instance no direct SSL-references from the kernel, no kludges
and hacks to get called, etc). mod_ssl supports Dynamic Shared Object
(DSO) building as a direct consequence from using the Extended API. In
short DSO support means maximum flexibility under run-time, i.e. you don't
have to decide under compile-time whether to build or not to build SSL
into the Apache httpd executable. Instead you can just load mod_ssl
through mod_so's LoadModule directive on demand. This is especially
interesting for two cases: Vendor package maintainers receive the power
they need for creating flexible packages and power users receive the
ability to run more than one Apache (non-SSL-aware and SSL-aware) instance
from a single Apache installation while still saving RAM. mod_ssl is
ported to the Win32 platform, as it's the case for Apache and OpenSSL.
This way mod_ssl follows the evolution of these packages and provides the
always requested support also for this nasty platform. As for the Unix/DSO
case under Win32 mod_ssl is well-integrated into Apache through a
stand-alone DLL which can be loaded through mod_so's LoadModule directive.
mod_ssl can be really easily applied to the Apache source tree because it
provides a full-featured and automated configuration environment for this
task while Apache-SSL forced the user to fiddle with the patch and cp
tools theirself. Just because security is not for amateurs hasn't to mean
that user friendliness is not important. So it's a must to assist the user
in applying the SSL-stuff to vanilla Apache sources. For this mod_ssl
integrates also very-well into the new Apache 1.3 Autoconf-style Interface
(APACI). Additionally mod_ssl's configuration mechanism supports the usage
of RSAref, arbitrary locations for OpenSSL, etc. mod_ssl fixes a lot of
bugs and inconsistencies which existed in Apache-SSL. For Apache experts
here are a few impressions: Apache-SSL wrote directly to stderr instead of
the Apache error logfile; it messed up it's error messages with the
OpenSSL error messages; it directly patched the SERVER_BASEVERSION define
instead of using the Apache 1.3 conforming ap_add_version_component
function; it used the unsafe sprintf function instead of the robust
ap_snprintf; it incorrectly spawned and killed the gcache auxiliary
program and it totally failed to pass the ``gcc -Wall -Wshadow
-Wpointer-arith -Wcast-align -Wmissing-prototypes -Wmissing-declarations
-Wnested-externs -Winline'' test (while Apache already passes it) because
of unclean code.
Additionally Apache-SSL didn't provide a way to easily apply it to the
Apache source tree (semi-manual editing and patching was required); it
didn't seamlessly integrate into the new Apache 1.3 Autoconf-style
Interface (APACI) at configuration time; it didn't automatically recognize
the difference between an installed OpenSSL and an out-of-the-source-only
OpenSSL; it didn't provide integration into the APACI installation process
(make install); it used numbers 0 to 2 instead of reasonable names for the
argument of SSLVerifyClient just because internally an enum was used and
for the provided %{version}c construct of CustomLog it used the results
"2", "3" under SSLeay 0.8 while under SSLeay 0.9 the results were "SSL2",
"SSL3", etc. pp.
mod_ssl adds new functionalities which were missing in Apache-SSL. A few
selected points which give you an impression follow:
mod_ssl provides a real dedicated SSL log file controlled by log level and
the additional features that messages logged at the `error' level are
automatically duplicated to the general Apache error log file. And
occuring system and OpenSSL error messages are automatically appended to
mod_ssl messages. Additionally mod_ssl annotates deep-level OpenSSL
messages with more high-level hints.
mod_ssl provides a completely new and enhanced handling of encrypted
private key files. First the private keys are kept in a permanent memory
pool (as OpenSSL already does internally), so Apache now survives server
restarts without falling down. Second the pass phrase dialog is a lot more
user friendly and advanced: It uses a pass phrase reuse-algorithm to
minimize the dialog, it recognizes wrong pass phrases and allows retries
(but with a backoff time delay), etc. And additionally a minimal interface
is provided to plug-in an external program for providing the pass phrase
for special batch security situations.
mod_ssl provides the SSLCACertificateReqFile directive which can be used
to configure a different (from SSLCACertificateFile) set of CA
Certificates for the SSLv3 feature used by the clients to load CA
Certificates from the server for speeding up server authentication.
mod_ssl replaced the ``gcache'' stuff of Apache-SSL (used for caching SSL
sessions) with a more robust DBM-based solution, because the controlling
of an external program cannot be done very reliable from within Apache.
Additionally a "mutex" is now used to synchronize the inter-process access
to this cache.
mod_ssl provides support for the OpenSSL+RSAref couple, i.e. mod_ssl
supports the building with RSAref.
mod_ssl provides a new SSLRequire directive which can be used to implement
more granular access control based on arbitrary complex boolean
expression.
mod_ssl adds support for HTTPS to the Apache Proxy Module (mod_proxy).
mod_ssl is the first Open Source version of an SSL extension to Apache
which supports the Win32 platform.
etc.pp.
When you're still really interested in more hard-core details walk through
the entries in the CHANGES and CHANGES.20 files in the mod_ssl
distribution.

[...]


--=20
Dominik - http://www.saargate.de/~domi/

"Wir brauchen jetzt aktuelle politische Lieder."  - Nina Hagen



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.9904282149320.6935-100000>