My thoughts on how we can evolve the OCSP Stapling infrastructure in our server: https://github.com/icing/mod_tls/issues/4
With the `ap_ssl_*()` function we replaced basic SSL function provided by mod_ssl alone so far by adding support to the core server. This is not only convenient for modules checking if a connection is encrypted or not, it also allows several SSL implementations to be loaded at the same time.
For OCSP Stapling, we have 2 implementations, one in mod_ssl, one in mod_md. The interworking here goes also about optional hooks provided by mod_ssl (via mod_ssl_openssl.h since it exchanges X509*). I propose to move those into the core server as well and replace the X509* exchanged with data ignorant of the implementation.
While these hooks will be of no interest to other modules, those core hooks would provide interop with any module providing OCSP stapling with any module that does SSL connections.
If you'd like to weigh in with comments and ideas, please do!
- Stefan
PS. I pseudo-coded the hooks as pure functions, so it is easier to read.
With the `ap_ssl_*()` function we replaced basic SSL function provided by mod_ssl alone so far by adding support to the core server. This is not only convenient for modules checking if a connection is encrypted or not, it also allows several SSL implementations to be loaded at the same time.
For OCSP Stapling, we have 2 implementations, one in mod_ssl, one in mod_md. The interworking here goes also about optional hooks provided by mod_ssl (via mod_ssl_openssl.h since it exchanges X509*). I propose to move those into the core server as well and replace the X509* exchanged with data ignorant of the implementation.
While these hooks will be of no interest to other modules, those core hooks would provide interop with any module providing OCSP stapling with any module that does SSL connections.
If you'd like to weigh in with comments and ideas, please do!
- Stefan
PS. I pseudo-coded the hooks as pure functions, so it is easier to read.