On 1/13/00 8:11 AM, Rob Page at rob.page@digicool.com wrote:
Hi Joachim:
In http://www.egroups.com/group/medusa/47.html I read about using "STunnel" (http://mike.daewoo.com.pl/computer/stunnel/) to add SSL functionality to Medusa.
As ZServer is derived from Medusa, this should work for Zope, too.
Search the archives, I know several people have mentioned getting stunnel to work... I never tried, not having the bandwidth right now.
Has anyone tried to use this combination? Any experience? I'm asking because I like the idea of having ONLY ZServer running as a web server, not a combination of ZServer and Apache. The only thing I'd need Apache (or Roxen) for, would be the SSL support.
BTW: Is native SSL support planned for ZServer?
Chris Petrilli, our local security story manager is working on a number of different projects. Lest this go unanswered I'll pipe in.... If you want to ask a question, ask him! :^)
The main reason, as Rob outlines, that we don't support SSL in ZServer is that it's simply very difficult to get RIGHT (my previous job was heavily PKI oriented, so crypto is in my blood), and quite honestly all of the focus on design is in the Apache world, and it seems important to leverage that, rather than trying to invent it all. Additionally, serious SSL sites are going to use something like a Rainbow accelerator for the crypto, and that requires specific libraries be used (namely RSA's commercial libraries, etc), which of course we don't want to get into right now. Given the expense of SSL session setup, the burdon of PCGI isn't very onerous, and quite honestly, if you go to FastCGI, it's largely irrelevent.
Historically, incorporating encryption into Zope has been a real obstacle for us for the following reasons:
(1) it ain't easy, (2) US export restrictions on the cryptographic software/tools
With yesterday's significant announcement by the US Govt:
http://www.infobeat.com/stories/cgi/story.cgi?id=2563227804-a95
it looks like (2) will no longer be an issue. However, (1) still is...
#1 is a huge issue, as Rob says, and #2, well... the landscape changes daily, and where I used to work we had 1 person dedicated to the legal issues of both exporting AND importing into other countries.
and (1) is a BIGGIE. To really use SSL for both server AND client identification/authentication there is a LOT to do. I'm not sure that we've got the bandwidth (funded or not) to do this in the foreseeable future.
Given I don't believe we have any value to add on the HTTP/SSL server side of the equation I would say that we're unlikely to head in that direction anytime soon. Having said that, patches are naturally accepted ;-)
Naturally, if there was a funded effort we could at least look at what it would take. Alternatively, we could provide advice and guidance to any person or group that wanted to take this project on (with a serious intent to finish).
I believe the more interesting aspect for me, at least, and for customers in the long haul, and where we can add serious value is in the integration of PKI client-authentication (using X.509 certs) into the Zope security model in a more elegant way. I've got tons of ideas on this, mostly full fleshed out, but there's simply been no customer demand for this. Hope this helps to direct some thought. Chris -- | Christopher Petrilli Python Powered Digital Creations, Inc. | petrilli@digicool.com http://www.digicool.com