httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Kraemer <mar...@apache.org>
Subject Re: [PATCH] ssl_ext_lookup #2
Date Tue, 20 Sep 2005 10:16:40 GMT
On Fri, Sep 16, 2005 at 09:56:25AM +0100, David Reid wrote:
> > Can we just back out the mod_setenvif stuff from the trunk or is someone 
> > going to make it work BTW?
> 
> I didn't add the code, but unless it works then I'm +1 on it's removal.
> That said, Dirk claims it works for him, so I'd be inclined to leave it
> in trunk for now, but not in any releases.
> 
> Martin: does it work for you?

I am currently trying to make it work... But ATM as soon as I require
a client cert, I get a deadlock (both the SSL client and server try to
read during the handshake). Hang out a little longer, please...

To recap the problem, Joe said:
> there
> seems to be a rather annoying fundamental problem: the match_headers
> hooks runs too early to be useful for this when doing per-dir client
> cert negotiation.

I haven't traced it: why is match_headers too early? In theory, the
SSL negotiation has been done with before the request and headers can
be read. Of course, it would be too late for switching on
SSLVerifyClient in a per-dir-context unless it has already been on
globally. But that has nothing to do with mod_setenvif, only with the
way SSL requests work.

  Martin
-- 
<Martin.Kraemer@Fujitsu-Siemens.com>         |     Fujitsu Siemens
Fon: +49-89-636-46021, FAX: +49-89-636-48332 | 81730  Munich,  Germany

Mime
View raw message