Mailing List Archive

ap_ssl_* backport
The PR 179 <https://github.com/apache/httpd/pull/179> has been updated with the additions of our OCSP hook support in the core server. In case you did not follow it, a short summary of the changes:

1. httpd core offers functions/hooks so that SSL related things
can be queried without optional functions. That means all the
lookups in modules of the "ssl_is_https(conn_rec *c)" have
been converted to direct invocations of "ap_ssl_conn_is_ssl(c)".
2. The provisioning of SSL certificates for servers, as done by mod_md,
has also now a central hub in the server. This means other modules
besides mod_ssl/mod_md can use/offer certificate services.
3. The OCSP response data that is used in "SSL Stapling" has also now
a central hub with functions/hooks. That means other SSL modules can
use mod_md services and another OCSP stapling module may be written
and installed without changes to SSL modules.

All these new server functions/hooks are agnostic of the actual *SSL implementation. One might mix modules using OpenSSL with ones using libressl or exotics like rustls.

4. mod_ssl has been extended to use these new functions/hooks while maintaining its own OPTIONAL functions and support. This should give full backward compatibility for 3rd party modules for interop with mod_ssl.

5. mod_md has been extended to use/register at the new core hooks. The PR also includes a range of other, unrelated enhancements to mod_md, like multiple certificates and EC keys. It would have been possible to separate this out, but it would have required more testing combinations and the number of branches/repros to juggle are already high enough.

As will all github PRs, you can get the diff simply by appending ".diff", so <https://github.com/apache/httpd/pull/179.diff> is the whole thing. For easier review, I extract the parts related only to the core server and the ones only related to mod_ssl and attach them here.

I would very much appreciate if some of you find the time to point to my mistakes.

Cheers, Stefan
Re: ap_ssl_* backport [ In reply to ]
On 4/13/21 3:00 PM, Stefan Eissing wrote:
> The PR 179 <https://github.com/apache/httpd/pull/179> has been updated with the additions of our OCSP hook support in the core server. In case you did not follow it, a short summary of the changes:
>
> 1. httpd core offers functions/hooks so that SSL related things
> can be queried without optional functions. That means all the
> lookups in modules of the "ssl_is_https(conn_rec *c)" have
> been converted to direct invocations of "ap_ssl_conn_is_ssl(c)".
> 2. The provisioning of SSL certificates for servers, as done by mod_md,
> has also now a central hub in the server. This means other modules
> besides mod_ssl/mod_md can use/offer certificate services.
> 3. The OCSP response data that is used in "SSL Stapling" has also now
> a central hub with functions/hooks. That means other SSL modules can
> use mod_md services and another OCSP stapling module may be written
> and installed without changes to SSL modules.
>
> All these new server functions/hooks are agnostic of the actual *SSL implementation. One might mix modules using OpenSSL with ones using libressl or exotics like rustls.
>
> 4. mod_ssl has been extended to use these new functions/hooks while maintaining its own OPTIONAL functions and support. This should give full backward compatibility for 3rd party modules for interop with mod_ssl.
>
> 5. mod_md has been extended to use/register at the new core hooks. The PR also includes a range of other, unrelated enhancements to mod_md, like multiple certificates and EC keys. It would have been possible to separate this out, but it would have required more testing combinations and the number of branches/repros to juggle are already high enough.
>
> As will all github PRs, you can get the diff simply by appending ".diff", so <https://github.com/apache/httpd/pull/179.diff> is the whole thing. For easier review, I extract the parts related only to the core server and the ones only related to mod_ssl and attach them here.
>
> I would very much appreciate if some of you find the time to point to my mistakes.
>

As it was easier for me I directly commented on the PR.

Regards

R?diger
Re: ap_ssl_* backport [ In reply to ]
> Am 20.04.2021 um 11:57 schrieb Ruediger Pluem <rpluem@apache.org>:
>
>
>
> On 4/13/21 3:00 PM, Stefan Eissing wrote:
>> The PR 179 <https://github.com/apache/httpd/pull/179> has been updated with the additions of our OCSP hook support in the core server. In case you did not follow it, a short summary of the changes:
>>
>> 1. httpd core offers functions/hooks so that SSL related things
>> can be queried without optional functions. That means all the
>> lookups in modules of the "ssl_is_https(conn_rec *c)" have
>> been converted to direct invocations of "ap_ssl_conn_is_ssl(c)".
>> 2. The provisioning of SSL certificates for servers, as done by mod_md,
>> has also now a central hub in the server. This means other modules
>> besides mod_ssl/mod_md can use/offer certificate services.
>> 3. The OCSP response data that is used in "SSL Stapling" has also now
>> a central hub with functions/hooks. That means other SSL modules can
>> use mod_md services and another OCSP stapling module may be written
>> and installed without changes to SSL modules.
>>
>> All these new server functions/hooks are agnostic of the actual *SSL implementation. One might mix modules using OpenSSL with ones using libressl or exotics like rustls.
>>
>> 4. mod_ssl has been extended to use these new functions/hooks while maintaining its own OPTIONAL functions and support. This should give full backward compatibility for 3rd party modules for interop with mod_ssl.
>>
>> 5. mod_md has been extended to use/register at the new core hooks. The PR also includes a range of other, unrelated enhancements to mod_md, like multiple certificates and EC keys. It would have been possible to separate this out, but it would have required more testing combinations and the number of branches/repros to juggle are already high enough.
>>
>> As will all github PRs, you can get the diff simply by appending ".diff", so <https://github.com/apache/httpd/pull/179.diff> is the whole thing. For easier review, I extract the parts related only to the core server and the ones only related to mod_ssl and attach them here.
>>
>> I would very much appreciate if some of you find the time to point to my mistakes.
>>
>
> As it was easier for me I directly commented on the PR.

Excellent! Will make an update, probably today.

/Stefan
>
> Regards
>
> RĂ¼diger
Re: ap_ssl_* backport [ In reply to ]
Updated the PR https://github.com/apache/httpd/pull/179 with r1889009 and recent 2.4.x changes.

> Am 20.04.2021 um 12:05 schrieb Stefan Eissing <stefan.eissing@greenbytes.de>:
>
>
>
>> Am 20.04.2021 um 11:57 schrieb Ruediger Pluem <rpluem@apache.org>:
>>
>>
>>
>> On 4/13/21 3:00 PM, Stefan Eissing wrote:
>>> The PR 179 <https://github.com/apache/httpd/pull/179> has been updated with the additions of our OCSP hook support in the core server. In case you did not follow it, a short summary of the changes:
>>>
>>> 1. httpd core offers functions/hooks so that SSL related things
>>> can be queried without optional functions. That means all the
>>> lookups in modules of the "ssl_is_https(conn_rec *c)" have
>>> been converted to direct invocations of "ap_ssl_conn_is_ssl(c)".
>>> 2. The provisioning of SSL certificates for servers, as done by mod_md,
>>> has also now a central hub in the server. This means other modules
>>> besides mod_ssl/mod_md can use/offer certificate services.
>>> 3. The OCSP response data that is used in "SSL Stapling" has also now
>>> a central hub with functions/hooks. That means other SSL modules can
>>> use mod_md services and another OCSP stapling module may be written
>>> and installed without changes to SSL modules.
>>>
>>> All these new server functions/hooks are agnostic of the actual *SSL implementation. One might mix modules using OpenSSL with ones using libressl or exotics like rustls.
>>>
>>> 4. mod_ssl has been extended to use these new functions/hooks while maintaining its own OPTIONAL functions and support. This should give full backward compatibility for 3rd party modules for interop with mod_ssl.
>>>
>>> 5. mod_md has been extended to use/register at the new core hooks. The PR also includes a range of other, unrelated enhancements to mod_md, like multiple certificates and EC keys. It would have been possible to separate this out, but it would have required more testing combinations and the number of branches/repros to juggle are already high enough.
>>>
>>> As will all github PRs, you can get the diff simply by appending ".diff", so <https://github.com/apache/httpd/pull/179.diff> is the whole thing. For easier review, I extract the parts related only to the core server and the ones only related to mod_ssl and attach them here.
>>>
>>> I would very much appreciate if some of you find the time to point to my mistakes.
>>>
>>
>> As it was easier for me I directly commented on the PR.
>
> Excellent! Will make an update, probably today.
>
> /Stefan
>>
>> Regards
>>
>> RĂ¼diger