x-net] Creating a provider based on OpenSSL

Is Apache 2.2.x fully compatible with OpenSSL 1.0.0?  I currently haven
an apache 2.2.15 build built against the fedora provided openssl 1.0.0a
packages, but I don't use this apache heavily, so don't know if there
are any caveats or major changes that could cause problems in the 0.9.8
jump to 1.0.

I think the Apache provided binaries are still staged against openssl
0.9.8, but is there any reason why one wouldn't want to use 1.0?

Thanks,
Andy

 
 Deprecating obsolete libraries is a good thing, especially if there
is
 a compelling replacement. 
 
 I think this goes hand in hand with what operating system versions we
 will be targeting for 2.4.  We should inventory which versions of the
 libraries are offered on each and then make the decision whether to
 accomodate:
 
 * Windows: none 
 * Mac OS X 10.6: OpenSSL 0.9.8l 5 Nov 2009
 * FreeBSD 6.4-STABLE: OpenSSL 0.9.7e-p1 25 Oct 2004
 * FreeBSD 7.2-STABLE: OpenSSL 0.9.8e 23 Feb 2007
 * FreeBSD 8-STABLE: OpenSSL 0.9.8k 25 Mar 2009
 * OpenBSD 4.6: OpenSSL 0.9.8k 25 Mar 2009
 * Solaris 10: 0.9.7 with backports... don't recall what's in the
 Coolstack but someone else may be able to tell us.

The Coolstack and the Webstack both use the system's SSL bindings.
Coolstack symlinks it:         libssl.so.0.9.7 =>      
/usr/sfw/lib/libssl.so.0.9.7

lrwxrwxrwx 1 root root 28 Jul 13  2009 /opt/coolstack/lib/libssl.so.0.9.7
-> /usr/sfw/lib/libssl.so.0.9.7

while webstack links it directly:         libcrypto.so.0.9.7 =>   
/usr/sfw/lib/libcrypto.so.0.9.7

Bye,


Tel: +43 (0) 699 122 96 338
Fax: +43(0) 1 91 333 41
Mail: i.g### @brainsware.org
URL: http://brainsware.org/

I'd like to drop support for versions of OpenSSL older than 1.0 in the 
trunk mod_ssl.  We have 200+ lines of compat macro junk and still six 
different compiler warnings remain in a trunk build against 1.0.0.

pro: simplify code: remove ssl_toolkit_compat.h and all compat macro 
mess which litters the code

pro: simplify testing: no longer have to test/worry about regressing 
builds against N subtly different versions of the OpenSSL API all

pro: can drop the internal CRL revocation code in favour of OpenSSL's

pro: users will be "encouraged" to upgrade to a modern OpenSSL which has 
secure TLS reneg

con: trunk/2.3 won't build on all platforms/distros which ship natively 
with OpenSSL < 1.0 (duh)

con: I presume this will mean dropping support for the RSA/... toolkits, 
if they even work still, which I very much doubt

So... love/hate?

Regards, Joe

Dr Stephen Henson wrote:
 On 25/05/2010 13:45, Joe Orton wrote:
  
> I'd like to drop support for versions of OpenSSL older than 1.0
in 
> the trunk mod_ssl.  We have 200+ lines of compat macro junk and
still 
> six different compiler warnings remain in a trunk build against
1.0.0.
>
> pro: simplify code: remove ssl_toolkit_compat.h and all compat
macro 
> mess which litters the code
>
> pro: simplify testing: no longer have to test/worry about
regressing 
> builds against N subtly different versions of the OpenSSL API all
>
> pro: can drop the internal CRL revocation code in favour of
OpenSSL's
>
> pro: users will be "encouraged" to upgrade to a modern OpenSSL
which 
> has secure TLS reneg
>
> con: trunk/2.3 won't build on all platforms/distros which ship 
> natively with OpenSSL < 1.0 (duh)
>
> con: I presume this will mean dropping support for the RSA/... 
> toolkits, if they even work still, which I very much doubt
>
> So... love/hate?
>
>     

 con: means FIPS 140-2 support would be dropped too. FIPS 140-2 is not

 supported
 in 1.0.0, only 0.9.8 (well 0.9.7 too but we recommend everyone use
the 
 1.2
 module with 0.9.8 if possible).
   

Belated comment: FIPS 140-2 is used with Apache, both directly as open 
source and as vendor supplied binaries.  FIPS 140-2 is required in U.S. 
DoD and federal government environments (where I do much of my 
consulting work).  That requirement has been in place for years but is 
now actually being enforced.  Many users would like to upgrade but can't 
due to that requirement.

Until a new FIPS validation is available for OpenSSL 1.0.0 it would IMHO 
be a Very Bad Thing to drop support for 0.9.8.  Such a validation will 
require commercial or government sponsorship, as did the earlier 
validations, plus a long lead time.  We get occasional expressions of 
interest but nothing solid yet, but I'm confident it will happen 
eventually.  In the meantime, dropping support for 0.9.8 will force many 
government sector Apache users elsewhere.

-Steve M.

Hi there,

I am unable to use the SSLOCSPEnable directive in ssl.conf

My httpd-2.2.3-6 running on RHEL5 gives a unknown module error when
restarted:
"nvalid command 'SSLOCSPEnable', perhaps misspelled or defined by a module
not included in the server configuration"

here http://httpd.apache.org/docs/trunk/mod/mod_ssl.html 
it says that SSLOCSPEnable is "Available in httpd 2.3 and later"

so, do I need to download and compile httpd 2.3 on my RHEL to be able to
use OCSP?
what alternatives do I have?

And what about using apache+mod_nss to be able to use OCSP with my current
apache to "validate" expired client X509 certificates instead of
apache+mod_ssl?

Or at this state of apache development should I forget OCSP and try to use
CRL and automate CRL updates using some cron job and some scripting?

Regards,
Luis Neves
 		 	   		  

Begin forwarded message:

From: "Yngve Nysaeter Pettersen" <yng### @opera.com>
Date: May 25, 2010 5:08:26 AM PDT
To: "Roy T. Fielding" <field### @gbiv.com>
Subject: Apache, mod_ssl, OpenSSL 1.0.0 and the TLS ServerName Indication
extension

Hello Roy,

You are most likely not the right person to send this to, so please feel
free to forward this email to the right person.

OpenSSL 1.0.0 enabled support for the TLS ServerName Indication (SNI)
extension, and it seems like at least some versions of mod_ssl has been
updated to use that version and to enable the SNI handling.

Unfortunately is seems like it is a little too easy to incorrectly
configure the server, possibly due to a missing/incorrect ServerName
configuration parameter, so the server sends a TLS Unrecognized_Name (112)
Warning, even when the correct certificate is installed for the server. A
current example is https://www.verisign.com/ , unless they have fixed the
problem.

As Opera currently upgrades this Warning to a Fatal error, while other
browsers apparently ignores it when they send the SNI, so this is causing
problems for our users.

My guess is that the virtual host, servername and certificate files for
servers might not be as synchronized and cross-checked as they perhaps
should be.

I setup a provider service in activeMQ and want to offer 1000 requests at
the
same time. How can I set the thread policy for this provider?

Hi all,
I have implemented a Provider for my web service but the request doesn't
pass into my provider. To declare my provider I only have added there 2
lines before my class:
@javax.xml.ws.WebServiceProvider(portName="HelloWorldSoapBinding",
serviceName="HelloWorld")
@javax.xml.ws.ServiceMode(value = javax.xml.ws.Service.Mode.MESSAGE)

Is there no other thing to do?

thanks a lot,
Fabian.

Hello,

Here is how I am trying to make sure sudo is installed on my solaris
boxes:

            package {'sudo':
              ensure => 'installed',
              provider => 'blastwave',
              adminfile => '/usr/local/etc/adminfile',
            }

The package is installed, but every time puppetd executes, I get this:

	notice: //base_server/Package[sudo]/ensure: created

It seems like the package provider is not seeing that sudo is already
installed….
How can I fix that?

Both my puppetmaster and puppetd are 0.25.5

Thanks,

Don

I've defined a jaxrs server like:

<jaxrs:server id="myService" address="http://localhost:19300/ai/" >

    <jaxrs:serviceBeans>
        <ref bean="resourceService" />
    </jaxrs:serviceBeans>
    <jaxrs:providers>
           <bean
class="org.codehaus.jackson.jaxrs.JacksonJsonProvider">
            <property name="mapper">
             <bean
                class="com.rest.json.ObjectMapperFactoryBean">
            </bean>
            </property>
           </bean>
        <ref bean="jaxbElementProvider" />
    </jaxrs:providers>
    <jaxrs:extensionMappings>
        <entry key="json" value="application/json" />
           <entry key="xml" value="application/xml" />
        </jaxrs:extensionMappings>
 </jaxrs:server>

- For some reason, when I request Json from the service the
org.apache.cxf.jaxrs.provider.JSONProvider#readFrom method is used instead
of the jackson provider. How can I remove/override the built-provider and
replace it with Jackson?

Thanks,

Hi,

    When routing from ServiceMix CXF-BC consumer to ServiceMix CXF-BC
provider, need to call a different operation of CXF provider web service.
The application uses ServiceMix and Camel JBI component. Camel is used for
routing purpose only. The route is

CXF BC consumer ----> Camel ----> CXF BC provider

For example 

operation: {http://example.org}hello

changed to

operation: {http://example.org}greet

I tried to set operation as a header in camel route but is not working.

<route>
    <from uri="jbi:service:http://example.org/helloRouteBuilder"/>
    <setHeader headerName="operationName">
        <constant>greet</constant>
    </setHeader>
    <to uri="jbi:service:http://example.org/greetingService"/>
</route>

I know that this syntax is for Camel CXF endpoints. Will it work for
ServiceMix CXF components?

Anto

Hi everyone,

I'm trying to use Cassandra to replace a RDBMS.

My application handles domains. And, for every domain it creates a new DB
with a pre-defined set of tables.

After reading the documentation, I assume that this should be handled on
Cassandra by creating new key spaces.

Could I know if this is possible? Or if I'm wrong, could you point me to
the
correct approach?

Thanks in advance.



Tharindu

Hi,

I am trying to create a new rule, which can be defined in xml-rule file
also. The rule is extension to the existing call-param-rule in which we
can
pass the constant parameters (mainly string constants) which is currently
not possible with the call-param-rule.
After googleing I found the steps to do it which are:


   - Update the DTD. You should add an element type for your rule. The
   element should have an attribute corresponding to each of the rule's
   initialization parameters.
   - Define an ObjectCreationFactory
   - Extend DigesterRuleParser , and override the addRuleInstances()
method
   to add the rules for parsing your new element.

I did all the three steps but still I am not able to call the method with
string constants which I am defining in the rule-xml. I am getting the
values of parameter as null.

Attachments:
*digester-rules.dtd* (This is the updated dtd with the new element added
as
call-constant-param-rule. So step 1 is done.
*UpdatedRuleParser.java* (This java file defines the ObjectCreationFactory
(ConstantParamRuleFactory) and also extends the DigesterRuleParser.
*_xelerator_config_rule.xml* (XML file which defines the digester rules).
*_xelerator_config.xml *(XML document which needs to be parsed).
*ConstantParamRule.java* (Extended rule file)

What is it which i am missing or doing wrong.

Thanks in advance.

--wadi

Hi,

I am trying to create a file from server side following some examples, but
no way, the file is not created.
I have had a look to server logs but I don't find any error and the source
code is not throwing anything. 

Here the piece of code:
            Node root = session.getRootNode();
            Node userRoute=root.getNode("content/myProjectNode");
            
            Node fileNode = userRoute.addNode("myFile.gpx", "nt:file"); 
            Node resNode = fileNode.addNode("jcr:content", "nt:resource");


            resNode.setProperty("jcr:mimeType", "text/xml"); 
            resNode.setProperty("jcr:encoding", "UTF-8");
           
resNode.setProperty("jcr:lastModified",Calendar.getInstance().getTimeInMillis());

            resNode.setProperty("jcr:data",new
ByteArrayInputStream(myString.getBytes()) );

Does anybody find something wrong?

Thanks in advance,

Audrey

ValueBuilder should provider the DSL for Predicate

I don't see anything out of the ordinary here, seems like its not honoring
the type as a directory but as a file any ideas?

err: //bind::slave/File[/var/named/chroot]: Failed to generate additional
resources using 'eval_generate': Cannot manage files of type
characterSpecial

file { '/var/named/chroot':
    ensure    => directory,
    owner     => named,
    group     => named,
    mode      => 0755,
    require   => Package['bind-chroot'];
}

Hi All,

I getting the following error while creating the object in AMQ,

#0  0x002cd777 in apr_atomic_add32 (mem=0x95123ec, val=4294967295) at
atomic/unix/mutex.c:78 
    #1  0x016208b8 in
decaf::util::concurrent::atomic::AtomicInteger::decrementAndGet
(this=0x95123e8) 
        at decaf/util/concurrent/atomic/AtomicInteger.cpp:69 
    #2  0x015de038 in decaf::lang::ArrayPointer<unsigned char,
decaf::util::concurrent::atomic::AtomicRefCounter>::reset ( 
        this=0xbfa95928, value=0x95130a8 "\177", size=4) at
./decaf/util/concurrent/atomic/AtomicRefCounter.h:68 
    #3  0x015ddc5c in InetAddress (this=0xbfa9591c, hostname=@0xbfa95954,
ipAddress=0x16604bb "\177", numBytes=4) 
        at decaf/net/InetAddress.cpp:79 
    #4  0x015daff7 in Inet4Address (this=0xbfa9591c, hostname=@0xbfa95954,
ipAddress=0x16604bb "\177", numBytes=4) 
        at decaf/net/Inet4Address.cpp:34 
    #5  0x015dc073 in __static_initialization_and_destruction_0
(__initialize_p=<value optimized out>,  
        __priority=<value optimized out>) at
decaf/net/InetAddress.cpp:39 
    #6  0x016371b6 in __do_global_ctors_aux () from
/usr/local/lib/libactivemq-cpp.so.12 
    #7  0x01161b11 in _init () from /usr/local/lib/libactivemq-cpp.so.12 
    #8  0x00811573 in call_init () from /lib/ld-linux.so.2 
    #9  0x00811683 in _dl_init_internal () from /lib/ld-linux.so.2 
    #10 0x0080388f in _dl_start_user () from /lib/ld-linux.so.2 
    
What could be the cause of this error or what i am doing wrong.
Please let me know your inputs.

Thanks,
Manu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi dev

Are you aware of
http://maven.apache.org/plugins/maven...in/fix-mojo.html?

This will create (depending on the properties you set on CLI) missing
javadocs on in the source files. Properties can also be configured in
each project pom.xml.

I suggest to fix at least ClassComments for now. Resulting is shown in
sample below.

WDYT?

Following will e.g. fix the ClassComment and add a missing @author tag:

mvn javadoc:fix -DdefaultAuthor="<a
href=\"mailto:d### @directory.apache.org\">Apache Directory
Project</a>"
- -DfixTags="author" -DfixFieldComment=false -DfixMethodComment=false
-Dforce

like

Index:
ldap-client-api/src/main/java/org/apache/directory/ldap/client/api/LdapAsyncConnection.java

Hello,

I'd like to make some changes to cassandra so that when starting up a node
in a cluster, another node starts in another cluster. That requires that
the two nodes have different configurations, but DatabaseDescriptor (where
I think all the config reading is done) seems to load everything
statically when the class is loaded. The configuration path seems to
reside in System.getProperties(). Can you suggest a way for me to build a
second node with a different configuration path in the same code?

Unfortunately, I cannot simply launch two different cassandra instances on
the same computer, as I want the second node to have access to information
from the first node, such as node load for the first cluster and such
(plus even running two separate cassandra instances on the same node seems
to require workarounds and hacks).

Alexander Altanis

     [
https://issues.apache.org/jira/browse...nels:all-tabpanel
]

EDAH-TALLY updated DERBY-4745: