httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Kraemer <>
Subject Re: svn commit: r220307 - in /httpd/httpd/trunk/modules: metadata/mod_setenvif.c ssl/mod_ssl.c ssl/mod_ssl.h ssl/ssl_expr_eval.c
Date Tue, 02 Aug 2005 13:23:44 GMT
On Tue, Aug 02, 2005 at 12:00:24PM +0100, Joe Orton wrote:
> On Fri, Jul 22, 2005 at 02:24:50PM +0200, Sander Striker wrote:
> > Joe Orton wrote:
> > >On Fri, Jul 22, 2005 at 12:11:56PM -0000, Martin Kraemer wrote:
> > >
> > >>Author: martin
> > >>Date: Fri Jul 22 05:11:55 2005
> > >>New Revision: 220307
> > >>
> > >>URL:
> > >>Log:
> > >>Allow extraction of the values of SSL certificate extensions into
> > >>environment variables, so that their value can be used by any
> > >>module that is aware of environment variables, as in:
> > >
> > >
> > >So what is the point in posting patches for review if you don't actually 
> > >wait for anyone to review them before committing?
> > 
> > That would be my fault.  We're here at ApacheCon and when Martin said
> > he posted to the list first I asked him why he didn't commit to trunk
> > directly, since that is C-T-R.  It's a reasonable smallish patch, with
> > little impact on existing functionality; hence the nudge.
> C-T-R is a good way to accumulate a codebase full of unfinished changes 
> if the R bit is ignored by the committer.  Ping Martin.

Oops, sorry. Thanks for pinging.

>> 1) this is a pretty specific to way to code it.  Is there no way to make
>> it more general so that OID() is just a function like file() and can be
>> used e.g. in regex matches too?

The problem with the OID() "function" is that it where file() (or
another file() like function) return a single value, what OID()
stands for is an "array of zero or more values". But there is no
syntax to deal with arrays in place of expressions. I tried to
implement it as function first, but noticed that it would break when
an OID was specified more than once. In the ASF scenario, the
intention is to add multiple extensions with this OID, each one
containing as value a group name of which the client is member.

Because of the pre-existing syntax "<expr> in {value,value}", and
because "{value,value}" is effectively an array, I chose to implement
the OID() "function" as a special case of the "<expr> in" operator.

Do you have a good idea how to use a function-like syntax, and still
maintain the "is an array" property?

>> 2) you must always check in the regenerated generated scanner source
>> along with changes to the lex file.

My bad, sorry for missing that. Committed right now.

>> 3) oid() is a terrible name for this; it's simply the type of the
>> parameter.  It would be like calling malloc() "size()".  The function
>> expands (conceptually) to the values of an extension in the peer's
>> certificate, identified by OID; so call it peerext() or something
>> meaningful like that.

Good point - Thanks a lot -- that is a *very* good idea, and (if
nobody objects) I'd want to follow this suggestion. I had been a
little unhappy with OID() myself. peerext() is especially good
because it also documents where the certificate came from.

>> >   SetEnvIf OID("2.16.840.1.113730.1.13") "(.*) Generated (Certificate)" ca=$1
>> -1 on the naming since OID is completely entirely meaningless in this
>> context.

In the context of mod_setenvif, I'd even use "SSLPeerExt()" because
it makes it clear that we are dealing with an SSL-related thing.

Patch <<mod_setenvif.c.patch>> attached.

In <<ssl_peerext.patch>> there is a patch which changes OID()
to SSLPeerExt() for mod_ssl.

<>         |     Fujitsu Siemens
Fon: +49-89-636-46021, FAX: +49-89-636-48332 | 81730  Munich,  Germany

View raw message