Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 31160 invoked from network); 20 Sep 2005 16:33:57 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 20 Sep 2005 16:33:57 -0000 Received: (qmail 68705 invoked by uid 500); 20 Sep 2005 16:33:52 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 68643 invoked by uid 500); 20 Sep 2005 16:33:52 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 68629 invoked by uid 99); 20 Sep 2005 16:33:51 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 20 Sep 2005 09:33:51 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: domain of jorton@redhat.com designates 66.187.233.31 as permitted sender) Received: from [66.187.233.31] (HELO mx1.redhat.com) (66.187.233.31) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 20 Sep 2005 09:33:59 -0700 Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com [172.16.52.254]) by mx1.redhat.com (8.12.11/8.12.11) with ESMTP id j8KGXaRJ006554 for ; Tue, 20 Sep 2005 12:33:36 -0400 Received: from radish.cambridge.redhat.com (radish.cambridge.redhat.com [172.16.18.90]) by int-mx1.corp.redhat.com (8.11.6/8.11.6) with ESMTP id j8KGXVV14525 for ; Tue, 20 Sep 2005 12:33:31 -0400 Received: (from jorton@localhost) by radish.cambridge.redhat.com (8.13.4/8.13.4/Submit) id j8KGXUEB022736 for dev@httpd.apache.org; Tue, 20 Sep 2005 17:33:30 +0100 Date: Tue, 20 Sep 2005 17:33:30 +0100 From: Joe Orton To: dev@httpd.apache.org Subject: Re: [PATCH] ssl_ext_lookup #2 Message-ID: <20050920163330.GA21283@redhat.com> Mail-Followup-To: dev@httpd.apache.org References: <4325986A.2080305@jetnet.co.uk> <20050914123636.GA1753@redhat.com> <4328A020.9060002@jetnet.co.uk> <20050915153049.GA26040@redhat.com> <432A88B9.5070206@jetnet.co.uk> <20050920101640.GA44675@deejai2.mch.fsc.net> <20050920111253.GA13193@redhat.com> <20050920153232.GD44675@deejai2.mch.fsc.net> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20050920153232.GD44675@deejai2.mch.fsc.net> User-Agent: Mutt/1.4.2.1i X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N On Tue, Sep 20, 2005 at 05:32:32PM +0200, Martin Kraemer wrote: > On Tue, Sep 20, 2005 at 12:12:53PM +0100, Joe Orton wrote: > > > > > > I haven't traced it: why is match_headers too early? > > > > match_headers is a header_parser hook, and header_parser hooks run > > before auth hooks in request processing; per-dir SSL negotiation is an > > auth hook. > > > > [...] > > It has everything to do with mod_setenvif. If this were e.g. a > > mod_rewrite extension instead it would work correctly for per-dir rules > > since mod_rewrite per-dir rules are processed in a fixup hook - *after* > > the auth hooks. > > Isn't that exactly what we wanted (and why it also works for me)? No, you're missing the point. I'm talking about configurations where "SSLVerifyClient require" is configured in per-location context rather than at vhost context. In that case, the client cert has only been negotiated when the auth hooks run, so trying to do anything with the client cert *before* the auth hooks run is not going to work. > "header_parser hooks run before auth hooks processing" > So match_headers() gets called and sets the environment variable: > > SetEnvIf SSL_PeerExtList("1.3.6.1.4.1.18060.1") \ > "(committers|administrators)" \ > ThisUserHasAValidCert=$1 > > Later on, you can control access (in dir context, if desired) by > > allow from env=ThisUserHasAValidCert That's just SSLRequire reimplemented badly, as you say. What's the real use-case for this feature, what problem are you trying to solve? joe