Manne Anliot wrote:
>
> IIS (and IPlanet) has built-in SSL support, no extra modules needed.
To put it another way: Apache has removeable SSL functionality - users
who don't want SSL can run a streamlined server with a smaller memory
footprint. No unnecessary modules need be included.
> haven't looked up the source since they both set HTTPS=on at an early stage
> and everything worked fine, so I'm not sure on what's happening under the
> hood.
So can you be sure you really are in SSL - could be IIS sets HTTPS=on as
soon as it sees a request on port 443.
The point I'm making is that unless you have access to the source code,
you cannot guarantee that any module is setting a variable when YOU
think it should be set (your idea of HTTPS=on might be different from
IIS's). At least with mod_ssl, you can look at the code and think
"That's a bit late" but you CAN be sure that you really are in an SSL
session.
The port-based solution seems safe. With a properly configured server
you can be sure that 443 = SSL.
Rgds,
Owen Boyle.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
