On Mon, Feb 22, 2021 at 05:28:03PM +0100, Stefan Eissing wrote: > Regarding my proposal to add SSL related inquiry functions to our core > server, here > is a patch for the "ssl_is_https()" function. This allows: > > a) anyone to inquire about a connections SSLiness without the optional > function retrieval. > It will itself call such a function provided by a module. So this should > make anyone > using the new ap_ssl_is_ssl(c) remain compatible to existing ssl modules.
This makes sense to me except, obviously, I will start a fight to bikeshed the naming, since "SSL is SSL" scans quite weirdly? ap_is_https() or ap_conn_is_{ssl,tls}() or something would be better IMO? > b) provide a hook to ssl modules where they can register to inform about > connections they manage. > c) allow old modules that use the existing optional functions to work when > everyone uses the new hook. > > If I got this right, of course. Feedback very much appreciated. Looks like the right design otherwise to me. And all the modules which do the dance to retrieve ssl_is_https currently, can be changed over to this new API? A nice simplification. FWIW we briefly tried in RHEL supporting loading mod_ssl & mod_nss into httpd simultaneously, patching both to juggle the optional functions, and it was a bit painful/stupid. So, this is definitely much better. (We dropped mod_nss from RHEL8 onwards anyway) Regards, Joe