[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Module mod_so



Ben-Nes Michael wrote:

> i don't mind of few small percentage of cpu power to drop, So if it does
> life much easier & security stay high it worth it.
> 
> How about SSL can it be compiled like php3 to use mod_so ?

It's possible, partially, but it requires you to migrate from Apache-SSL
(which you use currently) to mod_ssl.

mod_ssl supports both static and dynamic (which is called libssl.so, if
you ask). However, I wrote "partially", because it still requires
patches in the core Apache, so parts of it are still linked (and also
compiled...) statically into the core Apache.

Note: It will not make the maintainance of SSL easier. Moreover, there
is no chance that Apache-SSL/mod_ssl will become easier, without ASF
allowing to insert patches, at least minor (e.g. EAPI), into the core
Apache.

On the other hand, there are other tricks to make SSL support faster
(but still very heavy):

1. If you use mod_ssl, use MM.
2. Use https (443) only when you must. Exit to http (80) anytime you
   can. On the other hand, remember that users expect to see the locked
   key not only AFTER clicking at the "Submit" button with their credit
   card details, but also DURING fulfilling this form (although no
   secret details will leak if this form is supported through insecure
   protocol, and only the "submit" page is supported through secure
   one). It means also that if this form is a frame, the frameset should
   jump to https too.
3. When building OpenSSL, try to configure it to use Assembly when it
   can.

-- 
Eli Marmor

=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il