On Mon, Feb 22, 2021 at 05:28:03PM +0100, Stefan Eissing wrote:
> Regarding my proposal to add SSL related inquiry functions to our core
> server, here
> is a patch for the "ssl_is_https()" function. This allows:
>
> a) anyone to inquire about a connections SSLiness without the optional
> function retrieval.
> It will itself call such a function provided by a module. So this should
> make anyone
> using the new ap_ssl_is_ssl(c) remain compatible to existing ssl modules.
This makes sense to me except, obviously, I will start a fight to
bikeshed the naming, since "SSL is SSL" scans quite weirdly?
ap_is_https() or ap_conn_is_{ssl,tls}() or something would be better
IMO?
> b) provide a hook to ssl modules where they can register to inform about
> connections they manage.
> c) allow old modules that use the existing optional functions to work when
> everyone uses the new hook.
>
> If I got this right, of course. Feedback very much appreciated.
Looks like the right design otherwise to me. And all the modules which
do the dance to retrieve ssl_is_https currently, can be changed over to
this new API? A nice simplification.
FWIW we briefly tried in RHEL supporting loading mod_ssl & mod_nss into
httpd simultaneously, patching both to juggle the optional functions,
and it was a bit painful/stupid. So, this is definitely much better.
(We dropped mod_nss from RHEL8 onwards anyway)
Regards, Joe
