ipa-server conflicts with mod_ssl

05-13-2008, 02:51 PM

On Tue, May 13, 2008 at 10:19:29AM -0400, Simo Sorce wrote:
>
> On Tue, 2008-05-13 at 10:15 -0400, Neal Becker wrote:
> > ipa-server-1.0.0-4.fc9.x86_64 from updates has depsolving problems
> > --> ipa-server conflicts with mod_ssl
>
> Not a problem, the conflict is there on purpose.

What purpose? The mod_ssl and mod_nss packages themselves do not
conflict (nor the default configurations thereof)

joe

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

05-13-2008, 03:07 PM

On Tue, 2008-05-13 at 15:51 +0100, Joe Orton wrote:
> On Tue, May 13, 2008 at 10:19:29AM -0400, Simo Sorce wrote:
> >
> > On Tue, 2008-05-13 at 10:15 -0400, Neal Becker wrote:
> > > ipa-server-1.0.0-4.fc9.x86_64 from updates has depsolving problems
> > > --> ipa-server conflicts with mod_ssl
> >
> > Not a problem, the conflict is there on purpose.
>
> What purpose? The mod_ssl and mod_nss packages themselves do not
> conflict (nor the default configurations thereof)

mod_proxy can use only one or the other, not both, we need to fix
mod_proxy.

Simo.

--
Simo Sorce * Red Hat, Inc * New York

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

05-13-2008, 03:17 PM

Joe Orton wrote:

On Tue, May 13, 2008 at 10:19:29AM -0400, Simo Sorce wrote:

On Tue, 2008-05-13 at 10:15 -0400, Neal Becker wrote:

ipa-server-1.0.0-4.fc9.x86_64 from updates has depsolving problems
--> ipa-server conflicts with mod_ssl

Not a problem, the conflict is there on purpose.

What purpose? The mod_ssl and mod_nss packages themselves do not
conflict (nor the default configurations thereof)

joe

The problem is mod_proxy. It has only one set of symbols for doing SSL.
mod_nss provides those symbols but defers to mod_ssl if both are loaded.
But this means that if both are loaded mod_proxy will try to use the
wrong SSL engine.

rob
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

05-13-2008, 04:00 PM

On Tue, May 13, 2008 at 11:07:32AM -0400, Simo Sorce wrote:
>
> On Tue, 2008-05-13 at 15:51 +0100, Joe Orton wrote:
> > On Tue, May 13, 2008 at 10:19:29AM -0400, Simo Sorce wrote:
> > >
> > > On Tue, 2008-05-13 at 10:15 -0400, Neal Becker wrote:
> > > > ipa-server-1.0.0-4.fc9.x86_64 from updates has depsolving problems
> > > > --> ipa-server conflicts with mod_ssl
> > >
> > > Not a problem, the conflict is there on purpose.
> >
> > What purpose? The mod_ssl and mod_nss packages themselves do not
> > conflict (nor the default configurations thereof)
>
> mod_proxy can use only one or the other, not both, we need to fix
> mod_proxy.

Oh, that, right. No, the fix for that is to stop shipping two SSL
modules which have the same purpose as far as the rest of the server
(and userbase) cares.

joe

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

05-13-2008, 04:08 PM

On Tue, 2008-05-13 at 17:00 +0100, Joe Orton wrote:
> Oh, that, right. No, the fix for that is to stop shipping two SSL
> modules which have the same purpose as far as the rest of the server
> (and userbase) cares.

So when can I block mod_ssl?

--
Jesse Keating
Fedora -- Freedom² is a feature!
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

05-13-2008, 04:17 PM

On Tue, May 13, 2008 at 12:08:00PM -0400, Jesse Keating wrote:
> On Tue, 2008-05-13 at 17:00 +0100, Joe Orton wrote:
> > Oh, that, right. No, the fix for that is to stop shipping two SSL
> > modules which have the same purpose as far as the rest of the server
> > (and userbase) cares.
>
> So when can I block mod_ssl?

Well technically never, since it's a subpackage of httpd not a source
package, but, the answer is: when mod_nss is supported upstream at the
ASF, rather than being based on a fork of an old copy of mod_ssl.

joe

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

05-13-2008, 04:24 PM

On Tue, 2008-05-13 at 17:17 +0100, Joe Orton wrote:
> > So when can I block mod_ssl?
>
> Well technically never, since it's a subpackage of httpd not a source
> package, but, the answer is: when mod_nss is supported upstream at the
> ASF, rather than being based on a fork of an old copy of mod_ssl.

This is what I love about Fedora. Our own initiatives can't be agreed
upon by our own developers.

--
Jesse Keating
Fedora -- Freedom² is a feature!
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

05-13-2008, 04:44 PM

On Tue, May 13, 2008 at 12:24:48PM -0400, Jesse Keating wrote:
> On Tue, 2008-05-13 at 17:17 +0100, Joe Orton wrote:
> > > So when can I block mod_ssl?
> >
> > Well technically never, since it's a subpackage of httpd not a source
> > package, but, the answer is: when mod_nss is supported upstream at the
> > ASF, rather than being based on a fork of an old copy of mod_ssl.
>
> This is what I love about Fedora. Our own initiatives can't be agreed
> upon by our own developers.

I'm not sure that anybody would disagree that the above is the right
end-goal; "do work upstream" has always been key to the crypto
consolidation project AFAIK.

joe

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list