The PR 179 <https://github.com/apache/httpd/pull/179> has been updated with the 
additions of our OCSP hook support in the core server. In case you did not 
follow it, a short summary of the changes:

1. httpd core offers functions/hooks so that SSL related things 
   can be queried without optional functions. That means all the 
   lookups in modules of the "ssl_is_https(conn_rec *c)" have 
   been converted to direct invocations of "ap_ssl_conn_is_ssl(c)".
2. The provisioning of SSL certificates for servers, as done by mod_md,
   has also now a central hub in the server. This means other modules
   besides mod_ssl/mod_md can use/offer certificate services.
3. The OCSP response data that is used in "SSL Stapling" has also now
   a central hub with functions/hooks. That means other SSL modules can
   use mod_md services and another OCSP stapling module may be written
   and installed without changes to SSL modules.

All these new server functions/hooks are agnostic of the actual *SSL 
implementation. One might mix modules using OpenSSL with ones using libressl or 
exotics like rustls.

4. mod_ssl has been extended to use these new functions/hooks while maintaining 
its own OPTIONAL functions and support. This should give full backward 
compatibility for 3rd party modules for interop with mod_ssl.

5. mod_md has been extended to use/register at the new core hooks. The PR also 
includes a range of other, unrelated enhancements to mod_md, like multiple 
certificates and EC keys. It would have been possible to separate this out, but 
it would have required more testing combinations and the number of 
branches/repros to juggle are already high enough.

As will all github PRs, you can get the diff simply by appending ".diff", so 
<https://github.com/apache/httpd/pull/179.diff> is the whole thing. For easier 
review, I extract the parts related only to the core server and the ones only 
related to mod_ssl and attach them here.

I would very much appreciate if some of you find the time to point to my 
mistakes.

Cheers, Stefan



Attachment: ap_ssl_things_PR179_core.diff
Description: Binary data

Attachment: ap_ssl_things_PR179_mod_ssl.diff
Description: Binary data

Reply via email to