On Mon, Feb 22, 2021 at 05:28:03PM +0100, Stefan Eissing wrote:
> Regarding my proposal to add SSL related inquiry functions to our core 
> server, here
> is a patch for the "ssl_is_https()" function. This allows:
> a) anyone to inquire about a connections SSLiness without the optional 
> function retrieval. 
>    It will itself call such a function provided by a module. So this should 
> make anyone 
>    using the new ap_ssl_is_ssl(c) remain compatible to existing ssl modules.

This makes sense to me except, obviously, I will start a fight to 
bikeshed the naming, since "SSL is SSL" scans quite weirdly?  
ap_is_https() or ap_conn_is_{ssl,tls}() or something would be better 

> b) provide a hook to ssl modules where they can register to inform about 
> connections they manage.
> c) allow old modules that use the existing optional functions to work when 
> everyone uses the new hook.
> If I got this right, of course. Feedback very much appreciated.

Looks like the right design otherwise to me.  And all the modules which 
do the dance to retrieve ssl_is_https currently, can be changed over to 
this new API?  A nice simplification.

FWIW we briefly tried in RHEL supporting loading mod_ssl & mod_nss into 
httpd simultaneously, patching both to juggle the optional functions, 
and it was a bit painful/stupid.  So, this is definitely much better.  
(We dropped mod_nss from RHEL8 onwards anyway)

Regards, Joe

Reply via email to