httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <>
Subject Re: How to access client certificate PEM and incoming request headers in a module?
Date Mon, 18 Jun 2012 03:45:34 GMT

---- wrote: 
> ---- Ben Noordhuis <> wrote: 
> > On Sun, Jun 17, 2012 at 9:46 PM,  <> wrote:
> > > Hi,
> > >
> > > I am starting to look into implementing an Apache module that can use information
from an incoming request, including several headers and the subject string from a client certificate
to do authentication.
> > >
> > > I've been looking at the source for mod_auth_certificate, from,
as a starting point.
> > >
> > > However, it looks like the way that mod_auth_certificate works is that it requires
that there's an SSLUserName directive to put the client certificate DN into the Apache REMOTE_USER
attribute, whereas I need the entire PEM for the client cert to do authentication that I'm
trying to do.
> > >
> > > So I was wondering if it's possible for a module to access the SSL_CLIENT_S_DN
and SSL_CLIENT_CERT environment variables, and if so, how?
> > 
> > They should be set in r->subprocess_env provided `SSLOptions
> > +StdEnvVars +ExportCertData` is set in the server or per-directory
> > config.
> > 
> > > Also, as mentioned my module would need to access several HTTP headers that
are in the incoming requests.  How can it do that?
> > 
> > Look them up with `apr_table_get(r->headers_in, "X-Header-Name")`.
> Ben,
> Thanks.  I'll give those a try.  We already the SSLOptions set as you mentioned, so assuming
that I can figure out the coding (it's been a long time since I've done C/C++), that should
work :)...
> Jim


I haven't actually tried your suggestion yet, but, re. the SSL variables, I was looking at
mod_headers.c, and in there, there are two separate functions:

static const char *header_request_env_var(request_rec *r, char *a)
    const char *s = apr_table_get(r->subprocess_env,a);

    if (s)
        return unwrap_header(r->pool, s);
        return "(null)";

static const char *header_request_ssl_var(request_rec *r, char *name)
    if (header_ssl_lookup) {
        const char *val = header_ssl_lookup(r->pool, r->server,
                                            r->connection, r, name);
        if (val && val[0])
            return unwrap_header(r->pool, val);
            return "(null)";
    else {
        return "(null)";

So, it seems like the method to get the SSL variables is different than the other environment

Or, does setting SSLOptions the way that you suggested cause the SSL variable so also exist
in apr_table_get(r->subprocess_env, xxxx)?


View raw message