From owner-freebsd-ports Wed Apr 28 12:52:22 1999 Delivered-To: freebsd-ports@freebsd.org Received: from dominik.saargate.de (domi.saargate.de [212.88.132.246]) by hub.freebsd.org (Postfix) with ESMTP id 07CCD15164 for ; Wed, 28 Apr 1999 12:52:17 -0700 (PDT) (envelope-from domi@saargate.de) Received: from localhost (localhost [127.0.0.1]) by dominik.saargate.de (8.9.2/8.8.7) with ESMTP id VAA06943; Wed, 28 Apr 1999 21:52:03 +0200 (CEST) (envelope-from domi@saargate.de) Date: Wed, 28 Apr 1999 21:52:03 +0200 (CEST) From: Dominik Brettnacher To: "kmartin@infoteam.com" Cc: freebsd-ports@freebsd.org Subject: Re: difference in apache13-modssl and apache13-ssl In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 28 Apr 1999, kmartin@infoteam.com wrote: > I see a number of differences under their respective /usr/ports/www > directories, but it isn't clear why you would use one over the other. The differences are explained on http://www.engelschall.com/sw/mod_ssl/docs/2.2/ssl_faq.html: What are the differences between mod_ssl and Apache-SSL, from where it is derived?=A0=A0 [L] This cannot be answered in short, because there are too much changes (see the CHANGES and CHANGES.20 files in the mod_ssl distribution for detailed information). Most of them are internal changes, cleanups and re-organizations of the source code. But the user visible changes are mainly the following: mod_ssl provides a complete documentation (this User Manual) where all configuration directives, environment variables, and other things are documented while Apache-SSL had no such documentation although it existed for over three years when mod_ssl was split from it (in April 1998). Additionally mod_ssl provides answers to often occuring frequently asked questions (this list) in the Apache/SSL/OpenSSL area. For instance mod_ssl gives detailed hints about how to setup a CA, how to create real a server Certificate, etc. And the mod_ssl User Manual provides a compact introduction to the complex SSL area itself. Because here are the typical hurdles located every user stumbles over. mod_ssl comes with clean and documented source code with the intent that only this way the user is able to re-view it for backdoors, security holes, etc. This is considered important for security-related software. It was always incomprehensible to the author of mod_ssl how Apache-SSL could exist for over three years while both the source code and the source patches were provided in an undocumented and partly unreadable format. For the mod_ssl package the source codes follows the Apache coding style, is logically ordered to follow the API phases and even the patches to the Apache source tree are annotated with descriptions to give the user a chance to re-view and understand them. mod_ssl uses a generic Extended API to achieve its functionality. This means instead of patching in SSL/crypto-related code into the Apache kernel a clean and well separated Extended API is patched in. This way the SSL and cryptography code is only present inside the SSL module itself (i.e. inside the src/modules/ssl/ subtree only). The benefit from this is a clean separation and API-conforming SSL solution (which means for instance no direct SSL-references from the kernel, no kludges and hacks to get called, etc). mod_ssl supports Dynamic Shared Object (DSO) building as a direct consequence from using the Extended API. In short DSO support means maximum flexibility under run-time, i.e. you don't have to decide under compile-time whether to build or not to build SSL into the Apache httpd executable. Instead you can just load mod_ssl through mod_so's LoadModule directive on demand. This is especially interesting for two cases: Vendor package maintainers receive the power they need for creating flexible packages and power users receive the ability to run more than one Apache (non-SSL-aware and SSL-aware) instance from a single Apache installation while still saving RAM. mod_ssl is ported to the Win32 platform, as it's the case for Apache and OpenSSL. This way mod_ssl follows the evolution of these packages and provides the always requested support also for this nasty platform. As for the Unix/DSO case under Win32 mod_ssl is well-integrated into Apache through a stand-alone DLL which can be loaded through mod_so's LoadModule directive. mod_ssl can be really easily applied to the Apache source tree because it provides a full-featured and automated configuration environment for this task while Apache-SSL forced the user to fiddle with the patch and cp tools theirself. Just because security is not for amateurs hasn't to mean that user friendliness is not important. So it's a must to assist the user in applying the SSL-stuff to vanilla Apache sources. For this mod_ssl integrates also very-well into the new Apache 1.3 Autoconf-style Interface (APACI). Additionally mod_ssl's configuration mechanism supports the usage of RSAref, arbitrary locations for OpenSSL, etc. mod_ssl fixes a lot of bugs and inconsistencies which existed in Apache-SSL. For Apache experts here are a few impressions: Apache-SSL wrote directly to stderr instead of the Apache error logfile; it messed up it's error messages with the OpenSSL error messages; it directly patched the SERVER_BASEVERSION define instead of using the Apache 1.3 conforming ap_add_version_component function; it used the unsafe sprintf function instead of the robust ap_snprintf; it incorrectly spawned and killed the gcache auxiliary program and it totally failed to pass the ``gcc -Wall -Wshadow -Wpointer-arith -Wcast-align -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -Winline'' test (while Apache already passes it) because of unclean code. Additionally Apache-SSL didn't provide a way to easily apply it to the Apache source tree (semi-manual editing and patching was required); it didn't seamlessly integrate into the new Apache 1.3 Autoconf-style Interface (APACI) at configuration time; it didn't automatically recognize the difference between an installed OpenSSL and an out-of-the-source-only OpenSSL; it didn't provide integration into the APACI installation process (make install); it used numbers 0 to 2 instead of reasonable names for the argument of SSLVerifyClient just because internally an enum was used and for the provided %{version}c construct of CustomLog it used the results "2", "3" under SSLeay 0.8 while under SSLeay 0.9 the results were "SSL2", "SSL3", etc. pp. mod_ssl adds new functionalities which were missing in Apache-SSL. A few selected points which give you an impression follow: mod_ssl provides a real dedicated SSL log file controlled by log level and the additional features that messages logged at the `error' level are automatically duplicated to the general Apache error log file. And occuring system and OpenSSL error messages are automatically appended to mod_ssl messages. Additionally mod_ssl annotates deep-level OpenSSL messages with more high-level hints. mod_ssl provides a completely new and enhanced handling of encrypted private key files. First the private keys are kept in a permanent memory pool (as OpenSSL already does internally), so Apache now survives server restarts without falling down. Second the pass phrase dialog is a lot more user friendly and advanced: It uses a pass phrase reuse-algorithm to minimize the dialog, it recognizes wrong pass phrases and allows retries (but with a backoff time delay), etc. And additionally a minimal interface is provided to plug-in an external program for providing the pass phrase for special batch security situations. mod_ssl provides the SSLCACertificateReqFile directive which can be used to configure a different (from SSLCACertificateFile) set of CA Certificates for the SSLv3 feature used by the clients to load CA Certificates from the server for speeding up server authentication. mod_ssl replaced the ``gcache'' stuff of Apache-SSL (used for caching SSL sessions) with a more robust DBM-based solution, because the controlling of an external program cannot be done very reliable from within Apache. Additionally a "mutex" is now used to synchronize the inter-process access to this cache. mod_ssl provides support for the OpenSSL+RSAref couple, i.e. mod_ssl supports the building with RSAref. mod_ssl provides a new SSLRequire directive which can be used to implement more granular access control based on arbitrary complex boolean expression. mod_ssl adds support for HTTPS to the Apache Proxy Module (mod_proxy). mod_ssl is the first Open Source version of an SSL extension to Apache which supports the Win32 platform. etc.pp. When you're still really interested in more hard-core details walk through the entries in the CHANGES and CHANGES.20 files in the mod_ssl distribution. [...] --=20 Dominik - http://www.saargate.de/~domi/ "Wir brauchen jetzt aktuelle politische Lieder." - Nina Hagen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message