Re: ap_ssl_* backport

Tue, 20 Apr 2021 03:06:21 -0700 


> Am 20.04.2021 um 11:57 schrieb Ruediger Pluem <rpl...@apache.org>:
> 
> 
> 
> On 4/13/21 3:00 PM, Stefan Eissing wrote:
>> The PR 179 <https://github.com/apache/httpd/pull/179> has been updated with 
>> the additions of our OCSP hook support in the core server. In case you did 
>> not follow it, a short summary of the changes:
>> 
>> 1. httpd core offers functions/hooks so that SSL related things 
>>   can be queried without optional functions. That means all the 
>>   lookups in modules of the "ssl_is_https(conn_rec *c)" have 
>>   been converted to direct invocations of "ap_ssl_conn_is_ssl(c)".
>> 2. The provisioning of SSL certificates for servers, as done by mod_md,
>>   has also now a central hub in the server. This means other modules
>>   besides mod_ssl/mod_md can use/offer certificate services.
>> 3. The OCSP response data that is used in "SSL Stapling" has also now
>>   a central hub with functions/hooks. That means other SSL modules can
>>   use mod_md services and another OCSP stapling module may be written
>>   and installed without changes to SSL modules.
>> 
>> All these new server functions/hooks are agnostic of the actual *SSL 
>> implementation. One might mix modules using OpenSSL with ones using libressl 
>> or exotics like rustls.
>> 
>> 4. mod_ssl has been extended to use these new functions/hooks while 
>> maintaining its own OPTIONAL functions and support. This should give full 
>> backward compatibility for 3rd party modules for interop with mod_ssl.
>> 
>> 5. mod_md has been extended to use/register at the new core hooks. The PR 
>> also includes a range of other, unrelated enhancements to mod_md, like 
>> multiple certificates and EC keys. It would have been possible to separate 
>> this out, but it would have required more testing combinations and the 
>> number of branches/repros to juggle are already high enough.
>> 
>> As will all github PRs, you can get the diff simply by appending ".diff", so 
>> <https://github.com/apache/httpd/pull/179.diff> is the whole thing. For 
>> easier review, I extract the parts related only to the core server and the 
>> ones only related to mod_ssl and attach them here.
>> 
>> I would very much appreciate if some of you find the time to point to my 
>> mistakes.
>> 
> 
> As it was easier for me I directly commented on the PR.

Excellent! Will make an update, probably today.

/Stefan
> 
> Regards
> 
> RĂ¼diger























					Reply via email to