httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: [PATCH] mod_setenvif.c [was: ssl_ext_lookup #2]
Date Thu, 22 Sep 2005 12:45:28 GMT
On Thu, Sep 22, 2005 at 01:04:25PM +0200, Martin Kraemer wrote:
> On Tue, Sep 20, 2005 at 05:33:30PM +0100, Joe Orton wrote:
> > >   SetEnvIf SSL_PeerExtList("1.3.6.1.4.1.18060.1") \
> > >           "(committers|administrators)" \
> > >           ThisUserHasAValidCert=$1
> > > 
> > > Later on, you can control access (in dir context, if desired) by
> > > 
> > >   allow from env=ThisUserHasAValidCert
> > 
> > That's just SSLRequire reimplemented badly, as you say.  What's the real 
> > use-case for this feature, what problem are you trying to solve?
> 
> If used for "allow from env=", you are right. But environment variables
> do have a much more global usage scenario.
> 
> I see a usage scenario in anything from CGIs (and .shtml / .php / .pl)
> to custom error documents, or rewriting and filtering. The patch

So you do just want to export env vars from mod_ssl?  Why does 
mod_setenvif have to come into the equation at all then?  Why not add 
something like "SSLOptions +ExportCertExts" to mod_ssl and export all 
the ext values in appropriately named env vars?  
SSL_EXT_S_1_3_6_etc="This is a comment", just as it does for the rest of 
the cert info with +ExportCertData?

joe


Mime
View raw message