On Fri, Mar 12, 2021 at 12:22:38PM +0100, Stefan Eissing wrote: > Things for consideration: > 1. "SSLOptions StdEnvVars" sets a range of variables unrelated to SSL. > I think these should be provided by the server.
Which ones are unrelated to SSL? > 2. "SSLRequireSSL" is internally implemented on the deprecated > "SSLRequire". Should we at least recommend in the documentation which > "Require" configuration one should use instead? I think it is "Require > ssl"? Yes, definitely. SSLRequireSSL -> "Require ssl", and both SSLRequireSSL and SSLRequire could be removed for 2.5+ IMO. > 3. If it is "Require ssl", this needs a authn provider "ssl" > registered and there can only be one (I assume?). Should core override > that and base its result on the new ap_ssl_conn_is_ssl(c) function? It sounds like the right approach, although it looks like there should be unification here, since atm mod_ssl maps "Require ssl" to modssl_request_is_tls() but ssl_is_https() is slightly different (probably wrong?). Regards, Joe
