Mailing List Archive

>
> The netsite commerce server sets the environment variable
> "HTTPS" when someone has an SSL connection. I think it would be a good
> idea to do that for apache/ssl. (On my site both the SSL and the
> non-SSL servers serve the same document set, but I want some CGIs to
> only be run through the SSL server, so theyy can do a check for the
> existence of that environment variable.)
>
> What would be an appropriate name for the environment
> variable?

Hmm, HTTPS would seem logical. What does netsite set it to?

> And -- I'm not too familiar with how environment variables
> get passed to scripts that get run-- how do I set the variable in a
> module so that it gets passed to CGI, SSI, etc?

I looked at this a while back, but I forget the details (it was somewhat
arcane, I seem to remember). It's getting late here, but I'll take a look
tomorrow.

Cheers,

Ben.

--
Ben Laurie Phone: +44 (181) 994 6435
Freelance Consultant Fax: +44 (181) 994 6472
and Technical Director Email: ben@algroup.co.uk
A.L. Digital Ltd, URL: http://www.algroup.co.uk
London, England.

>
> Regarding the SSL server, what's it going to take to allow
> us to use this commercially?

Just comply with my export restrictions, and you can use it (apart from RSAREF
licensing ... fortunately not my problem).

See http://www.algroup.co.uk/Apache-SSL

Cheers,

Ben.

--
Ben Laurie Phone: +44 (181) 994 6435
Freelance Consultant Fax: +44 (181) 994 6472
and Technical Director Email: ben@algroup.co.uk
A.L. Digital Ltd, URL: http://www.algroup.co.uk
London, England.

Regarding the SSL server, what's it going to take to allow
us to use this commercially?

Not a problem for those outside the US. Correct. For those
within the US, I am working on it. I just received a copy of the
commercial use RSAREF license yesterday and will be talking to the
folks at Consensus Development next week to work out details.

There's quite a bit that needs to be done to make commercial
use legal within the US. The RSAREF license requires the rsaref source
*not* be distributed with the bundled product, only the object code.
My Apache/SSL non-commercial release includes full source, but the
commercial release apparently can't. Hopefully Consensus will provide
me with object code for all the major platforms, because I don't have
access to all the platforms to compile the rsaref source into object
code myself.

There is also the issues RC4 (I think Consensus will give
me RC4 object code) to be dealt with.

http://www.c2.org/apachessl/ will have information once I have
signed the license with Consensus. I think I will need to run the
license past you folks first to make sure that in meeting the RSAREF
license restrictions I am not violating the Apache license
restrictions. (And if a commercial use license would violate the
Apache license, I will ask for an exception.)

--
sameer Voice: 510-601-9777
Community ConneXion FAX: 510-601-9734
The Internet Privacy Provider Dialin: 510-658-6376
http://www.c2.org/ (or login as "guest") sameer@c2.org

>
> Hmm, HTTPS would seem logical. What does netsite set it to?

I beleive it only sets it to yes/no or something like
that. (The only code I've used which uses it just checks to see if it
exists.) I'll check that on Monday.

I was thinking about the requirements of the CGI spec for
setting environment variables, which I am not very familiar
with. (Where can I get info on the CGI spec?)

--
sameer Voice: 510-601-9777
Community ConneXion FAX: 510-601-9734
The Internet Privacy Provider Dialin: 510-658-6376
http://www.c2.org/ (or login as "guest") sameer@c2.org

/*
* "Re: another idea" by sameer <sameer@c2.org>
* written Sat, 18 Nov 1995 14:25:38 -0800 (PST)
*
** Hmm, HTTPS would seem logical. What does netsite set it to?
* I beleive it only sets it to yes/no or something like that.
*
*/

Close. It's "ON" or "OFF". Netsite also provides the size of the
stream key as HTTPS_KEYSIZE, and the size of the secret part of the
stream key as HTTPS_SECRETKEYSIZE. Both are integers.

--Rob

>
> /*
> * "Re: another idea" by sameer <sameer@c2.org>
> * written Sat, 18 Nov 1995 14:25:38 -0800 (PST)
> *
> ** Hmm, HTTPS would seem logical. What does netsite set it to?
> * I beleive it only sets it to yes/no or something like that.
> *
> */
>
> Close. It's "ON" or "OFF". Netsite also provides the size of the
> stream key as HTTPS_KEYSIZE, and the size of the secret part of the
> stream key as HTTPS_SECRETKEYSIZE. Both are integers.
>
> --Rob

Thanks for the info. Does this mean that checking for the presence of HTTPS,
rather than the value, is erroneous?

Of course, in the case of Apache-SSL, HTTPS_KEYSIZE == HTTPS_SECRETKEYSIZE,
at least, before its been through the US export mangler :-)

Wouldn't an HTTPS_VERSION (and perhaps HTTPS_FLAVOUR) be good, too?

Cheers,

Ben.

--
Ben Laurie Phone: +44 (181) 994 6435
Freelance Consultant Fax: +44 (181) 994 6472
and Technical Director Email: ben@algroup.co.uk
A.L. Digital Ltd, URL: http://www.algroup.co.uk
London, England.

>
> Close. It's "ON" or "OFF". Netsite also provides the size of the
> stream key as HTTPS_KEYSIZE, and the size of the secret part of the
> stream key as HTTPS_SECRETKEYSIZE. Both are integers.
>

Great. I was not familiar with the other settings. In this
case I then beleive that emulating the Netscape behavior is wise, with
the addition of HTTPS_CIPHER. (SSL_get_cipher returns things such as
EXP-RC4-MD5 and RC4-MD5 -- I don't know of particular routines within
SSLeay which just give me keysize/secretkeysize/etc., but I'll look
into it, etc.)

--
sameer Voice: 510-601-9777
Community ConneXion FAX: 510-601-9734
The Internet Privacy Provider Dialin: 510-658-6376
http://www.c2.org/ (or login as "guest") sameer@c2.org

/*
* "Re: another idea" by Ben Laurie <ben@gonzo.ben.algroup.co.uk>
* written Sat, 18 Nov 1995 23:31:25 +0000 (GMT)
*
* Thanks for the info. Does this mean that checking for the presence
* of HTTPS, rather than the value, is erroneous?

In a Netscape server, it means the server is SSL-capable, not that the
server using it.

* Wouldn't an HTTPS_VERSION (and perhaps HTTPS_FLAVOUR) be good, too?
*/

Yes, it would. There are more variables going in with client
authentication, also. Sameer's suggestion of HTTPS_CIPHER makes sense
as well.

--Rob

>
> /*
> * "Re: another idea" by Ben Laurie <ben@gonzo.ben.algroup.co.uk>
> * written Sat, 18 Nov 1995 23:31:25 +0000 (GMT)
> *
> * Thanks for the info. Does this mean that checking for the presence
> * of HTTPS, rather than the value, is erroneous?
>
> In a Netscape server, it means the server is SSL-capable, not that the
> server using it.
>
> * Wouldn't an HTTPS_VERSION (and perhaps HTTPS_FLAVOUR) be good, too?
> */
>
> Yes, it would. There are more variables going in with client
> authentication, also. Sameer's suggestion of HTTPS_CIPHER makes sense
> as well.

Cooo - you mean Apache-SSL does something Netsite doesn't? (Client
authentication, that is).

Cheers,

Ben.

--
Ben Laurie Phone: +44 (181) 994 6435
Freelance Consultant Fax: +44 (181) 994 6472
and Technical Director Email: ben@algroup.co.uk
A.L. Digital Ltd, URL: http://www.algroup.co.uk
London, England.

>
> Cooo - you mean Apache-SSL does something Netsite doesn't? (Client
> authentication, that is).

Apache/SSL also:
A) Does 128bit encryption worldwide.
B) Has full source available
C) Has an easier to use API (not that the netscape API is less powerful, but
the netscape docs make it difficult to learn the API, but the apache
source makes it real easy to learn the API.)

(and of course everything else you are all very familiar
with.)

I should move to another country so I can -really- do free
crypto development. This whole export/patent stuff really sucks.

--
sameer Voice: 510-601-9777
Community ConneXion FAX: 510-601-9734
The Internet Privacy Provider Dialin: 510-658-6376
http://www.c2.org/ (or login as "guest") sameer@c2.org

C) Has an easier to use API (not that the netscape API is less powerful, but
the netscape docs make it difficult to learn the API, but the apache
source makes it real easy to learn the API.)

I guess it's "be fair to Netscape, folx" time again... the Netscape
server may not ship with full source, but they do supply some NSAPI
loggers, etc., which are intended to be used as examples; you can also
find a few in the server tech notes section on the Netscape web site.
Granted, learning the Netscape API from the docs would be tough, but
the docs aren't all you have.

(The thing I do wonder about wrt the Netscape API is how easy it is to
*configure* an extension --- including per-directory configuration,
where applicable. That's not to say that it's easier with Apache,
just that I simply don't know).

rst

>
> (The thing I do wonder about wrt the Netscape API is how easy it is to
> *configure* an extension --- including per-directory configuration,
> where applicable. That's not to say that it's easier with Apache,
> just that I simply don't know).
>

It's not all that difficult. You just use the <Directory>
directives, and put the API functions you want to use within that
directory, and they are used only in those dirs but not others.

I *beleive* that there is a problem with the wildcard matching
in the directory directive, but I haven't looked at it in depth
personally. (if you have two sets of per-dir configuration sets,
/usr/docs/set1/* and /usr/docs/set1/sub/* the stuff within
/usr/docs/set1/sub* matches /usr/docs/set1/* and the /usr/docs/set1/*
configuriaton applies not the /usr/docs/set1/sub/* stuff... again, I'm
not completely familiar with this problem, but that seems to be the
case.)

--
sameer Voice: 510-601-9777
Community ConneXion FAX: 510-601-9734
The Internet Privacy Provider Dialin: 510-658-6376
http://www.c2.org/ (or login as "guest") sameer@c2.org

/*
* "Re: another idea" by sameer <sameer@c2.org>
* written Sun, 19 Nov 1995 14:30:53 -0800 (PST)
*
* I *beleive* that there is a problem with the wildcard matching
* in the directory directive, but I haven't looked at it in depth
* personally. (if you have two sets of per-dir configuration sets,
* /usr/docs/set1/* and /usr/docs/set1/sub/* the stuff within
* /usr/docs/set1/sub* matches /usr/docs/set1/* and the
* /usr/docs/set1/* configuriaton applies not the /usr/docs/set1/sub/*
* stuff... again, I'm not completely familiar with this problem, but
* that seems to be the case.)
*
*/

Only if the two settings are conflicting. If you say "for
/usr/docs/set1/*, turn on CGI" and then say "for /usr/docs/set1/sub/*,
turn off CGI" the first setting will apply. Similarly, if you have two
authentications, and the first says "don't let Fred in" and the second
says "let Fred in", it will not let him in.

--Rob

> C) Has an easier to use API (not that the netscape API is less powerful, but
> the netscape docs make it difficult to learn the API, but the apache
> source makes it real easy to learn the API.)
>
> I guess it's "be fair to Netscape, folx" time again... the Netscape
> server may not ship with full source, but they do supply some NSAPI
> loggers, etc., which are intended to be used as examples; you can also
> find a few in the server tech notes section on the Netscape web site.
> Granted, learning the Netscape API from the docs would be tough, but
> the docs aren't all you have.

No, really easy !

> (The thing I do wonder about wrt the Netscape API is how easy it is to
> *configure* an extension --- including per-directory configuration,
> where applicable. That's not to say that it's easier with Apache,
> just that I simply don't know).

Not much differnce there; took me the best part of an hour to get into
it and recompile my Msql and anonymous access modules; written for
apache, into the netscape API. Most time was taken up by working out
how this dynamic linking worked. Lets be honest here, that API is cute,
looks and smells a lot like apache modules; and I can only see it as
a lovely trick to give apache like modules without sending out the source.

Dw.

sameer wrote:
> I was thinking about the requirements of the CGI spec for
>setting environment variables, which I am not very familiar
>with. (Where can I get info on the CGI spec?)

Try http://www.ast.cam.ac.uk/~drtr/cgi-spec.html

David.