httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: [PATCH] ssl_ext_lookup #2
Date Tue, 20 Sep 2005 11:12:53 GMT
On Tue, Sep 20, 2005 at 12:16:40PM +0200, Martin Kraemer wrote:
> To recap the problem, Joe said:
> > there
> > seems to be a rather annoying fundamental problem: the match_headers
> > hooks runs too early to be useful for this when doing per-dir client
> > cert negotiation.
> 
> I haven't traced it: why is match_headers too early? 

match_headers is a header_parser hook, and header_parser hooks run 
before auth hooks in request processing; per-dir SSL negotiation is an 
auth hook.

> In theory, the SSL negotiation has been done with before the request 
> and headers can be read. Of course, it would be too late for switching 
> on SSLVerifyClient in a per-dir-context unless it has already been on 
> globally. But that has nothing to do with mod_setenvif, only with the 
> way SSL requests work.

It has everything to do with mod_setenvif.  If this were e.g. a 
mod_rewrite extension instead it would work correctly for per-dir rules 
since mod_rewrite per-dir rules are processed in a fixup hook - *after* 
the auth hooks.

joe

Mime
View raw message