The approach I'm using is a new input filter which runs above (before) the HTTP input filter, and waits for an EOS, then does the SSL handshake. All the data must be read from the socket before starting the handshake, so it reads from all the non-metadata buckets to ensure they're morphed if necessary.
I think a better analogy is: 'is it closer to the network?' My impression from reading your code is that it is further away from the network than HTTP_IN. Is that correct? FWIW, that's how I'd do it: HTTP_IN runs first, then this new one - looking for the EOS generated from HTTP_IN.
Above and before are all screwy ways to phrase it. ;-)
Does this approach seem sane, am I missing any input filtering issues here? I'd appreciate some review; patch below is newer than that attached to the bug report.
If my above assertion is correct, looks fine. -- justin
