The PR 179 <https://github.com/apache/httpd/pull/179> has been updated with the additions of our OCSP hook support in the core server. In case you did not follow it, a short summary of the changes:
1. httpd core offers functions/hooks so that SSL related things
can be queried without optional functions. That means all the
lookups in modules of the "ssl_is_https(conn_rec *c)" have
been converted to direct invocations of "ap_ssl_conn_is_ssl(c)".
2. The provisioning of SSL certificates for servers, as done by mod_md,
has also now a central hub in the server. This means other modules
besides mod_ssl/mod_md can use/offer certificate services.
3. The OCSP response data that is used in "SSL Stapling" has also now
a central hub with functions/hooks. That means other SSL modules can
use mod_md services and another OCSP stapling module may be written
and installed without changes to SSL modules.
All these new server functions/hooks are agnostic of the actual *SSL implementation. One might mix modules using OpenSSL with ones using libressl or exotics like rustls.
4. mod_ssl has been extended to use these new functions/hooks while maintaining its own OPTIONAL functions and support. This should give full backward compatibility for 3rd party modules for interop with mod_ssl.
5. mod_md has been extended to use/register at the new core hooks. The PR also includes a range of other, unrelated enhancements to mod_md, like multiple certificates and EC keys. It would have been possible to separate this out, but it would have required more testing combinations and the number of branches/repros to juggle are already high enough.
As will all github PRs, you can get the diff simply by appending ".diff", so <https://github.com/apache/httpd/pull/179.diff> is the whole thing. For easier review, I extract the parts related only to the core server and the ones only related to mod_ssl and attach them here.
I would very much appreciate if some of you find the time to point to my mistakes.
Cheers, Stefan
1. httpd core offers functions/hooks so that SSL related things
can be queried without optional functions. That means all the
lookups in modules of the "ssl_is_https(conn_rec *c)" have
been converted to direct invocations of "ap_ssl_conn_is_ssl(c)".
2. The provisioning of SSL certificates for servers, as done by mod_md,
has also now a central hub in the server. This means other modules
besides mod_ssl/mod_md can use/offer certificate services.
3. The OCSP response data that is used in "SSL Stapling" has also now
a central hub with functions/hooks. That means other SSL modules can
use mod_md services and another OCSP stapling module may be written
and installed without changes to SSL modules.
All these new server functions/hooks are agnostic of the actual *SSL implementation. One might mix modules using OpenSSL with ones using libressl or exotics like rustls.
4. mod_ssl has been extended to use these new functions/hooks while maintaining its own OPTIONAL functions and support. This should give full backward compatibility for 3rd party modules for interop with mod_ssl.
5. mod_md has been extended to use/register at the new core hooks. The PR also includes a range of other, unrelated enhancements to mod_md, like multiple certificates and EC keys. It would have been possible to separate this out, but it would have required more testing combinations and the number of branches/repros to juggle are already high enough.
As will all github PRs, you can get the diff simply by appending ".diff", so <https://github.com/apache/httpd/pull/179.diff> is the whole thing. For easier review, I extract the parts related only to the core server and the ones only related to mod_ssl and attach them here.
I would very much appreciate if some of you find the time to point to my mistakes.
Cheers, Stefan