Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 25 Jan 2003 05:58:02 +0300
From: Solar Designer <solar@...nwall.com>
To: owl-users@...ts.openwall.com
Subject: Re: RE : First install

On Fri, Jan 24, 2003 at 09:47:11AM +0100, Estrade Matthieu wrote:
> I didn't setup a loopback, so maybe it's why i got this error message

Do you somehow not use our usual startup scripts?  This is normally a
part of our owl-startup package.

[Apache]
> >>2.0 is more secure
> >
> >Is it?  (I don't care about its properties on Win32.)
> >
> yep, i think it is because if you look all the problem there were last 
> month (OpenSSL and chunk exploits),

Last month?  I'd say last year.

> all the exploits you can find, giving remote shell, are only on apache 1.3.

You mentioned two issues so far (are you aware of any others that are
about as bad? I'm not) --

1. OpenSSL.  This is clearly not an Apache problem, and affects any
version of Apache or another web server in the same way (if OpenSSL is
used).  It isn't even limited to web servers.

2. The Apache chunked encoding vulnerability.  Yes, a 1.x bug.  But
there's no reason a similar bug couldn't have occurred in 2.0.x.

> apache 2.0 was only vuln to Denial of services and more difficult to 
> exploit. but maybe i don't get all the existing exploits...

We just use different criteria to judge what is "more secure".  My
opinion is that the "existing exploits" or "security track record"
are pretty much irrelevant here.  Those are things we would have to
rely on if we weren't able to consider properties the software has.
But fortunately this is not the case.  My opinion on this approach is
in fact right on the third slide of our presentation on Owl. ;-)

> >>and really more powerfull than 1.3.x.
> >
> >What specific features of 2.0 do you think would benefit Owl users?
> >
> right, apache 2.0 is more powerfull because of many points.
> 
> 1- his architecture, he can provide actually 3 working mode (mpm = multi 
> processing modules)
>            - prefork, like apache 1.3, working with forked server.

OK, but we've got it already.

>            - worker, a new mode, stable and powerfull, working with 
> dynamic forked server containing static threaded child.
>            - perchild, closed to be stable, working with dynamic 
> threaded server containing dynamic thread child.

So much for security and stability.

If anyone wants these for a reason, then doing a custom Apache build
would be the least of their worries.

This is clearly not a reason for us to go with 2.0.x.

> 2- The caching features are really good too, a new module caching 
> documents and serving it from RAM is powerfull.

Could be nice, but again unimportant to most.  Static content only,
Linux kernel does a pretty good job of caching it anyway.

At DataForce, we're currently hosting about 1500 virtual domains, all
with Apache 1.3.x.

> 3- lots of modules available,

Yes, there exist modules both specific to 1.3.x and specific to 2.0.x.
I'm not sure the number of modules for which is greater.

> like deflate (free compresssion data module) which increase performance too.

There's an equivalent module (under the same name, but different code)
for 1.3.x as well:

ftp://ftp.lexa.ru/pub/apache-rus/contrib/

http://sysoev.ru/mod_deflate/
http://sysoev.ru/mod_deflate/download.html

(the last two pages are in Russian, sorry)

> 4- The reverse proxy mode, working fine and doing real HTTP/1.1 instead 
> of apache 1.3 doing fake HTTP/1.1
> so now apache 2.0 in reverse proxy mode can proxy all kind of 
> authentication.

OK.

> The reverse proxy for protecting web is now used a lot and it's fashion :)))

I've never used it.  Could you provide an example of how it "protects"
anything?

> 5- The apache 2.0 and apr api are more user friendly and provide stuff 
> to make more easy modules developpement (filters, bucket brigades etc...)
> It's possible to do all you want without modifying the apache core

OK.

> there is a lot of good point making apache 2.0 better than apache 1.3 
> but i can't remember all at the same time :)
> when i will find more, i will add it in a list :)

Well, you've given some valid reasons, but not enough to convince me
to make it the default for Owl just yet. :-)

-- 
/sd

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.