I think this is the "right thing", but I won't commit it myself without a couple "+1"s, because I don't trust myself mucking with suexec. Someone suggested making this conditional on mod_ssl being included in the build, but I don't see the point. There doesn't seem to be any danger in allowing SSL_ to pass in all cases.
Index: suexec.c =================================================================== RCS file: /home/cvs/httpd-2.0/support/suexec.c,v retrieving revision 1.17 diff -u -d -b -r1.17 suexec.c --- suexec.c 22 Nov 2001 07:42:13 -0000 1.17 +++ suexec.c 2 Feb 2002 22:40:14 -0000 @@ -227,7 +227,7 @@ cidx++; for (ep = environ; *ep && cidx < AP_ENVBUF-1; ep++) { - if (!strncmp(*ep, "HTTP_", 5)) { + if (!strncmp(*ep, "HTTP_", 5) || !strncmp(*ep, "SSL_", 4)) { cleanenv[cidx] = *ep; cidx++; }