> Am 12.03.2021 um 13:42 schrieb Joe Orton :
>
> On Fri, Mar 12, 2021 at 12:22:38PM +0100, Stefan Eissing wrote:
>> Things for consideration:
>> 1. "SSLOptions StdEnvVars" sets a range of variables unrelated to SSL.
>> I think these should be provided by the server.
>
> Which ones are unrelated to SSL?
My memory failed me. The 'StdEnvVars' indeed adds only SSL_* variables.
The list is in ssl_hook_Fixup_vars in ssl_engine_kernel.c:1501
What I was remembering is the different variables that mod_ssl makes
available to Require expressions (if I understand the code correctly)
in ssl_engine_vars.c:242.
Like for example "HTTP_USER_AGENT" which otherwise seems to be only
defined in mod_rewrite.c:2210. I am not sure from where a
"Require HTTP_USER_AGENT xxx" would get the value...
On closer inspection, these seem to have been intended for SSLRequire
only, but I am not sure of the hooks do not leak these into other
parts of the server.
>> 2. "SSLRequireSSL" is internally implemented on the deprecated
>> "SSLRequire". Should we at least recommend in the documentation which
>> "Require" configuration one should use instead? I think it is "Require
>> ssl"?
>
> Yes, definitely. SSLRequireSSL -> "Require ssl", and both SSLRequireSSL
> and SSLRequire could be removed for 2.5+ IMO.
>
>> 3. If it is "Require ssl", this needs a authn provider "ssl"
>> registered and there can only be one (I assume?). Should core override
>> that and base its result on the new ap_ssl_conn_is_ssl(c) function?
>
> It sounds like the right approach, although it looks like there should
> be unification here, since atm mod_ssl maps "Require ssl" to
> modssl_request_is_tls() but ssl_is_https() is slightly different
> (probably wrong?).
Yeah, have to check if there is any real difference. Maybe that
duplication was only made because of the OPTIONAL of the other function.
>
> Regards, Joe
>