httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: svn commit: r220307 - in /httpd/httpd/trunk/modules: metadata/mod_setenvif.c ssl/mod_ssl.c ssl/mod_ssl.h ssl/ssl_expr_eval.c
Date Mon, 15 Aug 2005 13:36:18 GMT
On Fri, Aug 05, 2005 at 08:00:01PM +0200, Martin Kraemer wrote:
> On Tue, Aug 02, 2005 at 07:14:10PM +0200, Martin Kraemer wrote:
> > I wanted something like
> > 
> >   SSLRequire "committers" in SSLPeerExtList("1.3.6.1.4.1.18060.1");
> > 
> > to mean "at least one extension with an OID of
> > 1.3.6.1.4.1.18060.1 with a value of 'committers' exists in the
> > client cert".
> 
> I'll be on vacation next week, and will send in another patch after
> that.

OK, hope you had a good holiday.  I wasn't trying to argue about the 
semantics just to nitpick the naming.  Having "SSL" in the SSLRequire 
function is redundant, but not in the context of mod_setenvif.  So, my 
preference is:

    SSLRequire "committers" in PeerExtList("1.3.6.1.4.1.18060.1");

    SetEnvIf SSL_PeerExtList("etc") ...

I just went to write a test case for the SetEnvIf function, and there 
seems to be a rather annoying fundamental problem: the match_headers 
hooks runs too early to be useful for this when doing per-dir client 
cert negotiation.

Attached the patch I have for mod_setenvif to clean it up and adopt the 
naming above; untested so far as I'm blocked by the fact that it doesn't 
work for per-dir negotiation.

joe

Mime
View raw message