mpm_worker and mod_ssl: requirements to OpenSSL

mpm_worker and mod_ssl: requirements to OpenSSL

am 09.03.2010 15:18:36 von ef-lists

Hi list,

 

I want to set up a httpd with a worker MPM and mod_ssl.

My question is - will I need a threadsafe build of OpenSSL to

have mod_ssl function correctly? I couldn't find this documented.

(if it is and I just missed it, please point me into the right direction)

I think the particular versions shouldn't matter as I suspect

this to be a general issue in this setup - but if it does matter,

let's assume httpd 2.2.15 and OpenSSL 0.9.8m.

 

Many thanks in advance!

 

Regards,

Edgar

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: mpm_worker and mod_ssl: requirements to OpenSSL

am 09.03.2010 15:25:14 von Nilesh Govindrajan

On Tue, Mar 9, 2010 at 7:48 PM, Edgar Frank wrote:
> Hi list,
>
>
>
> I want to set up a httpd with a worker MPM and mod_ssl.
>
> My question is - will I need a threadsafe build of OpenSSL to
>
> have mod_ssl function correctly? I couldn't find this documented.
>
> (if it is and I just missed it, please point me into the right direction)
>
> I think the particular versions shouldn't matter as I suspect
>
> this to be a general issue in this setup - but if it does matter,
>
> let's assume httpd 2.2.15 and OpenSSL 0.9.8m.
>
>
>
> Many thanks in advance!
>
>
>
> Regards,
>
> Edgar
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server Project=
..
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> =A0 " =A0 from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Ummm.. I don't think so. I compiled httpd with
openssl-devel-1.0.0-0.13.beta4.fc12.i686

I am unsure if that Fedora rpm is thread safe or not.

--=20
Nilesh Govindarajan
Site & Server Administrator
www.itech7.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: mpm_worker and mod_ssl: requirements to OpenSSL

am 09.03.2010 15:31:33 von Philip Wigg

> I want to set up a httpd with a worker MPM and mod_ssl.
> My question is - will I need a threadsafe build of OpenSSL to
> have mod_ssl function correctly? I couldn't find this documented.
> (if it is and I just missed it, please point me into the right direction)
> I think the particular versions shouldn't matter as I suspect
> this to be a general issue in this setup - but if it does matter,
> let's assume httpd 2.2.15 and OpenSSL 0.9.8m.

http://www.openssl.org/support/faq.html#PROG1

As far as I'm aware, there's no issue with SSL and the worker MPM. The
experimental event MPM is currently not compatible with SSL though.

-- Phil.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: mpm_worker and mod_ssl: requirements to OpenSSL

am 10.03.2010 07:24:34 von ef-lists

> 10/03/09 Nilesh Govindarajan
>On Tue, Mar 9, 2010 at 7:48 PM, Edgar Frank wrote:
>>
>> My question is - will I need a threadsafe build of OpenSSL to
>> have mod_ssl function correctly? I couldn't find this documented.
>
>Ummm.. I don't think so. I compiled httpd with
>openssl-devel-1.0.0-0.13.beta4.fc12.i686
>
>I am unsure if that Fedora rpm is thread safe or not.

You can check it with openssl version -a. If you see your platform specific
threadsafety macros, it is obviously threadsafe.
Besideds, you can check the opensslconf.h in the openssl include dir
and look if it has the OPENSSL_THREADS macro.

I wonder why I see no such checks for this macro in mod_ssl.

As the documentation says, OpenSSL should be threadsafe on
most platforms out of the box. But at least the RPM in OpenPKG has
it disabled by default and I'm experiencing some spurious SSL errors.

Regards,
Edgar

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: mpm_worker and mod_ssl: requirements to OpenSSL

am 10.03.2010 07:36:28 von ef-lists

>> My question is - will I need a threadsafe build of OpenSSL to
>> have mod_ssl function correctly? I couldn't find this documented.

> 10/03/09 Philip Wigg
>
>http://www.openssl.org/support/faq.html#PROG1
>
>As far as I'm aware, there's no issue with SSL and the worker MPM. The
>experimental event MPM is currently not compatible with SSL though.

I read that part, but IMHO it doesn't say what happens if a multithreaded
application uses the non-threadsafe version of OpenSSL. It just says
that OpenSSL is threadsafe on most platforms by default. mod_ssl
imposes no restrictions on OpenSSL being compiled threadsafe
(e.g. by checking the OPENSSL_THREADS macro in opensslconf.h).

I'm aware, that the event worker can't be used with SSL. I guess it's
because the SSL_CTX can't be shared among threads with the current
OpenSSL implementation?

Regards,
Edgar

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org