acs-tcl already has other parameters related to ssl and security::locations behavior.. that's why it seems to me to be an appropriate place --especially since someone using a proxy for ssl isn't configuring nsopenssl in the config.tcl file. How ever it's done, please document it clearly.