Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 26 Mar 2019 11:13:44 -0400
From: Rich Felker <>
Subject: Re: Supporting git access via smart HTTPS protocol for

On Tue, Mar 26, 2019 at 11:09:01AM -0400, Drew DeVault wrote:
> On 2019-03-26 11:04 AM, Rich Felker wrote:
> > > Also I find you are providing https version of site.
> > > thttpd does not supports https. Are you using stunnel for it?
> > 
> > I'm presently using haproxy's TLS-layer (vs HTTPS-layer) proxying,
> > because stunnel suggers from a 2.5-decades-old wrong handling of TCP
> > connection closing that makes it unusable, and because haproxy is what
> > I knew at the time. I think openssl s_server could handle it too, but
> > might not support SNI (?). What I'd really prefer is a non-broken
> > stunnel workalike using BearSSL as the backend, since BearSSL is the
> > only non-awful TLS implementation. If anyone wants to work on
> > something like that I'd be happy to test and eventually dogfood it on
> > musl site.
> If a working haproxy solution is already in place, why not rig it up for
> cloning as well? What's the old phrase - perfect is the enemy of good,
> or something like that.

The problem is that I don't know how to hook up the smart git http
backend via cgi. Maybe you're suggesting running it on a separate
httpd with haproxy doing the routing, but that's not compatible with
TLS-layer (rather than HTTP-layer) use of haproxy, and the latter does
not work with thttpd's cgi conformance issues, nor do I want to
introduce further dependency on haproxy, which is a big hammer. I'd
rather move in the opposite direction towards something like a
non-broken version of stunnel.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.