- From: Alex Rousskov <rousskov@measurement-factory.com>
- Date: Thu, 14 Nov 2002 23:40:58 -0700 (MST)
- To: srikant.chonnad@siritech.com
- cc: ietf-http-wg@w3.org
On Fri, 15 Nov 2002 srikant.chonnad@siritech.com wrote:
> I had a doubt. Can SSL implementation be part of the HTTP stack
> implementation?
IMO, it is impossible to answer your questions in general. The answer
depends on what stack interface you want/need to support. You can wrap
everything under one "stack" or provide pluggable SSL wrappers or do
something else, depending on your user needs.
> In that case, for secure HTTP connections, is it OK if we just
> specify https in the url or should something additional be done.
It is probably OK provided your stack users do not need any control
over SSL parameters. There are a lot of SSL knobs: SSL/TLS protocol
versions, certification authorities, encryption algorithms, key
lengths, session caching, etc. Some users need them; some do not care
as long as everything "works".
> If SSL implemenation is separate, how do we integrate HTTP
> implementation and SSL implementation?
Depends on how you implemented the HTTP stack and what SSL
implementation you are using. For example, OpenSSL library provides at
least two major integration options: low-level sockets and high-level
I/O buffers.
An important caveat to keep in mind when integrating HTTP and SSL is
that SSL may need to read or write data regardless of the current HTTP
"direction" and that SSL may need to do I/Os after HTTP transfer is
completed. For example, SSL may need to read data while your HTTP
stack is sending a request and, hence, may not expect to read anything
until the request is sent. Your code must ensure there are no
deadlocks.
If you must integrate, read a good book on SSL before you finalize
major HTTP stack design decisions.
Alex.
--
| HTTP performance - Web Polygraph benchmark
www.measurement-factory.com | HTTP compliance+ - Co-Advisor test suite
| all of the above - PolyBox appliance
Received on Friday, 15 November 2002 01:41:10 UTC