httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <>
Subject ssl_var_lookup snippet was Re: Confused about modules processing order...
Date Tue, 26 Jun 2012 20:17:55 GMT

---- Sorin Manolache <> wrote: 
> On 2012-06-26 19:56, wrote:
> >>> You cannot wait until mod_ssl runs its fixups, you have to hook one of
> >>> the hooks that execute earlier than webgate's check_user_id or
> >>> auth_checker. (You have to hook one of the hooks (1)-(4).) There, in
> >>> your hook, you have to get yourself the values of the server
> >>> certificates, client certificate, etc, everything that mod_ssl would
> >>> have given you, but too late.
> > "
> >
> > I guess that what I'm seeing is exactly what you said would happen, i.e., my check_user_id
hook function is being called, but none of the SSL vars are populated (since, as you said
mod_ssl doesn't populate them until the fixup phase).
> >
> > What mechanisms/methods could I use to get those SSL vars ("you have to get yourself
the values of the server certificates, client certificate, etc, ") at this point?
> I don't know, unfortunately. Have a look at the sources 
> (modules/ssl/ssl_engine_kernel.c, ssl_hook_Fixup) to see how mod_ssl 
> does it.
> Apparently mod_ssl uses ssl_var_lookup defined in ssl_engine_vars.c. 
> Maybe you can use it in check_user_id already.
> Sorin


THANKS for that pointer to ssl_var_lookup.  

As a very small payback (VERY small) for your help (and others), and for the record, I put
the following code (assembled from various places) in the ap_headers_early, and it seems to
work "somewhat")

static apr_status_t ap_headers_early(request_rec *r)

printf("In ap_headers_early\n");

printf("\n\nIn ap_headers_early: About to call ssl_var_lookup\n");

typedef char* (*ssl_var_lookup_t)(apr_pool_t*, server_rec*, conn_rec*, request_rec*, char*);

ssl_var_lookup_t ssl_var_lookup = 0;

ssl_var_lookup = (ssl_var_lookup_t)apr_dynamic_fn_retrieve("ssl_var_lookup");

const char * foo = ssl_var_lookup(r->pool, r->server, r->connection, r, "SSL_CLIENT_CERT");

printf("In ap_headers_early: SSL_CLIENT_CERT=[%s]\n", foo);

and it seems to work perfectly!!

Do you think that such calls would work in ANY hook?  In other words, would I be at my leisure
to use that in ANY of the module hooks?  

If so, now that that's working, where (which hook in mod_headers.c) would you recommend putting
my code in, such that I could get my code to run BEFORE the webgate?

Thanks again!!


View raw message