/ Zope / Apsis / Pound Mailing List / Archive / 2003 / 2003-10 / feature list

[ << ] [ >> ]

[ Best OS for Pound / Andreas Roedl ... ] [ Pound stops logging / "Simon Matter" ... ]

feature list
Robert Segall <roseg(at)apsis.ch>
2003-10-20 15:24:40 [ FULL ]
So we now have 1.5 out, lots of downloads, no complaints so far.

We are now opening the features list for the next version. On our TODO right 
now:

- add extra X-SSL header with the encryption method and strength
- support for a list of known CA certificates
- parameter to control client certificate depth verification
- debugging output, various levels
- rewriting of the Destination header on certain WebDAV requests

For the longer term (2.0?) we are considering:

- a new config file syntax
- moving from OpenSSL to the GNUtls library

Please feel free to suggest additions to the lists above.[...]

Re: feature list
Michael Dunstan <michael(at)elyt.com>
2003-10-21 04:07:19 [ FULL ]
On Tuesday, October 21, 2003, at 02:24 AM, Robert Segall wrote:
[...]

I would like to see support for various older versions of "export" 
grade browsers. An example of one of these is IE 5.00 that is installed 
with Windows 98 SE.

You can recreate the behaviour of such a browser with s_client:

   openssl s_client -connect localhost:8443 -cipher EXP-RC4-MD5

Using that to open a connection with Pound will die with a handshake 
error. Note that in IE 5.00 (as above) the browser renders a DNS error 
- doh!

My experiments suggest that Pound just needs to include a simple 
callback to support handling of RSA keys for ephemeral key exchange. 
See http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_rsa_callback.html

There are several examples of using this floating about the place. 
Including the documentation itself, s_server, mod_ssl and stunnel. The 
implementation of s_server seems to be the crudest. (I copied that into 
Pound for my experimentation to see this actually working.) Meanwhile 
stunnel seems to be the most careful as it includes expiration of the 
keys used.

You can quickly experiment with the inclusion/exclusion of handling of 
a temp RSA key by playing with s_server. Use the above s_client to 
connect to a server that includes key handling:

   openssl s_server -accept 8443 -msg -state -cert test.pem

Then to exclude the key handling use the flag -no_tmp_rsa like so:

   openssl s_server -accept 8443 -msg -state -cert test.pem -no_tmp_rsa

I'm hopping to use the planned X-SSL header with cipher details to 
present a warning page to users of such browsers recommending they 
either upgrade their browser or at the very least install an 
appropriate patch to enable a stronger cipher's (assuming that they 
have no import restrictions on such browsers/patches). But I need to 
first ensure that such browsers can actually fetch an https document in 
the first place so that I can sniff the cipher details.

Cheers
Michael Dunstan

Re: feature list
Robert Segall <roseg(at)apsis.ch>
2003-10-21 09:19:05 [ FULL ]
On Tuesday 21 October 2003 04:07, Michael Dunstan wrote:[...]

Thanks Michael - this goes on the TODO.[...]

Re: feature list
Roland <list-pound(at)openrbl.org>
2003-10-21 11:10:03 [ FULL ]
--On Montag, 20. Oktober 2003 15:24 +0200 Robert Segall
<roseg(at)apsis.ch>
wrote:
[...]

I'd like to insert custom headers also with plain HTTP
[...]

configure option --without-ssl, which would not require the
thread safe library in the first place.

Roland

Re: feature list
Robert Segall <roseg(at)apsis.ch>
2003-10-21 11:16:24 [ FULL ]
On Tuesday 21 October 2003 11:10, Roland wrote:[...]

Examples? Applicability/Motivation? Transparency?
[...]

Can't do that - for now Pound uses the BIO_ functions even on regular HTTP 
connections. This is the reason we are looking at the long term - we would 
need to replace the BIO_ functionality but keep the crypto stuff. In moving 
to GNUtls we would at least (temporarily) avoid the problems with the mix-ups 
between the various versions of OpenSSL you may have installed.[...]

MailBoxer