httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: [PATCH] ssl_ext_lookup #2
Date Tue, 20 Sep 2005 16:33:30 GMT
On Tue, Sep 20, 2005 at 05:32:32PM +0200, Martin Kraemer wrote:
> On Tue, Sep 20, 2005 at 12:12:53PM +0100, Joe Orton wrote:
> > > 
> > > I haven't traced it: why is match_headers too early? 
> > 
> > match_headers is a header_parser hook, and header_parser hooks run 
> > before auth hooks in request processing; per-dir SSL negotiation is an 
> > auth hook.
> > 
> > [...]
> > It has everything to do with mod_setenvif.  If this were e.g. a 
> > mod_rewrite extension instead it would work correctly for per-dir rules 
> > since mod_rewrite per-dir rules are processed in a fixup hook - *after* 
> > the auth hooks.
> 
> Isn't that exactly what we wanted (and why it also works for me)?

No, you're missing the point.  I'm talking about configurations where 
"SSLVerifyClient require" is configured in per-location context rather 
than at vhost context.  In that case, the client cert has only been 
negotiated when the auth hooks run, so trying to do anything with the 
client cert *before* the auth hooks run is not going to work.

>   "header_parser hooks run before auth hooks processing"
> So match_headers() gets called and sets the environment variable:
> 
>   SetEnvIf SSL_PeerExtList("1.3.6.1.4.1.18060.1") \
>           "(committers|administrators)" \
>           ThisUserHasAValidCert=$1
> 
> Later on, you can control access (in dir context, if desired) by
> 
>   allow from env=ThisUserHasAValidCert

That's just SSLRequire reimplemented badly, as you say.  What's the real 
use-case for this feature, what problem are you trying to solve?

joe

Mime
View raw message