> Am 12.03.2021 um 13:42 schrieb Joe Orton <jor...@redhat.com>:
> 
> On Fri, Mar 12, 2021 at 12:22:38PM +0100, Stefan Eissing wrote:
>> Things for consideration:
>> 1. "SSLOptions StdEnvVars" sets a range of variables unrelated to SSL. 
>> I think these should be provided by the server.
> 
> Which ones are unrelated to SSL?

My memory failed me. The 'StdEnvVars' indeed adds only SSL_* variables. 
The list is in ssl_hook_Fixup_vars in ssl_engine_kernel.c:1501

What I was remembering is the different variables that mod_ssl makes
available to Require expressions (if I understand the code correctly)
in ssl_engine_vars.c:242. 

Like for example "HTTP_USER_AGENT" which otherwise seems to be only
defined in mod_rewrite.c:2210. I am not sure from where a 
"Require HTTP_USER_AGENT xxx" would get the value...

On closer inspection, these seem to have been intended for SSLRequire
only, but I am not sure of the hooks do not leak these into other
parts of the server.

>> 2. "SSLRequireSSL" is internally implemented on the deprecated 
>> "SSLRequire". Should we at least recommend in the documentation which 
>> "Require" configuration one should use instead? I think it is "Require 
>> ssl"?
> 
> Yes, definitely.  SSLRequireSSL -> "Require ssl", and both SSLRequireSSL 
> and SSLRequire could be removed for 2.5+ IMO.
> 
>> 3. If it is "Require ssl", this needs a authn provider "ssl" 
>> registered and there can only be one (I assume?). Should core override 
>> that and base its result on the new ap_ssl_conn_is_ssl(c) function?
> 
> It sounds like the right approach, although it looks like there should 
> be unification here, since atm mod_ssl maps "Require ssl" to 
> modssl_request_is_tls() but ssl_is_https() is slightly different 
> (probably wrong?).

Yeah, have to check if there is any real difference. Maybe that
duplication was only made because of the OPTIONAL of the other function.

> 
> Regards, Joe
> 

Reply via email to