httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <oh...@cox.net>
Subject Re: ssl_var_lookup snippet was Re: Confused about modules processing order...
Date Wed, 27 Jun 2012 17:15:37 GMT

---- "William A. Rowe Jr." <wrowe@rowe-clan.net> wrote: 
> On 6/26/2012 3:17 PM, ohaya@cox.net wrote:
> > 
> > ---- Sorin Manolache <sorinm@gmail.com> wrote: 
> >> On 2012-06-26 19:56, ohaya@cox.net wrote:
> >>>>> You cannot wait until mod_ssl runs its fixups, you have to hook
one of
> >>>>> the hooks that execute earlier than webgate's check_user_id or
> >>>>> auth_checker. (You have to hook one of the hooks (1)-(4).) There,
in
> >>>>> your hook, you have to get yourself the values of the server
> >>>>> certificates, client certificate, etc, everything that mod_ssl would
> >>>>> have given you, but too late.
> >>> "
> >>>
> >>> I guess that what I'm seeing is exactly what you said would happen, i.e.,
my check_user_id hook function is being called, but none of the SSL vars are populated (since,
as you said mod_ssl doesn't populate them until the fixup phase).
> >>>
> >>> What mechanisms/methods could I use to get those SSL vars ("you have to
get yourself the values of the server certificates, client certificate, etc, ") at this point?
> >>
> >> I don't know, unfortunately. Have a look at the sources 
> >> (modules/ssl/ssl_engine_kernel.c, ssl_hook_Fixup) to see how mod_ssl 
> >> does it.
> >>
> >> Apparently mod_ssl uses ssl_var_lookup defined in ssl_engine_vars.c. 
> >> Maybe you can use it in check_user_id already.
> >>
> >> Sorin
> > 
> > 
> > Sorin,
> > 
> > THANKS for that pointer to ssl_var_lookup.  
> > 
> > As a very small payback (VERY small) for your help (and others), and for the record,
I put the following code (assembled from various places) in the ap_headers_early, and it seems
to work "somewhat")
> > 
> > 
> > static apr_status_t ap_headers_early(request_rec *r)
> > {
> > 
> > printf("In ap_headers_early\n");
> > 
> > printf("\n\nIn ap_headers_early: About to call ssl_var_lookup\n");
> > 
> > typedef char* (*ssl_var_lookup_t)(apr_pool_t*, server_rec*, conn_rec*, request_rec*,
char*);
> > 
> > ssl_var_lookup_t ssl_var_lookup = 0;
> > 
> > ssl_var_lookup = (ssl_var_lookup_t)apr_dynamic_fn_retrieve("ssl_var_lookup");
> > 
> > const char * foo = ssl_var_lookup(r->pool, r->server, r->connection, r,
"SSL_CLIENT_CERT");
> > 
> > printf("In ap_headers_early: SSL_CLIENT_CERT=[%s]\n", foo);
> > .
> > .
> > 
> > and it seems to work perfectly!!
> > 
> > 
> > Do you think that such calls would work in ANY hook?  In other words, would I be
at my leisure to use that in ANY of the module hooks?  
> > 
> > If so, now that that's working, where (which hook in mod_headers.c) would you recommend
putting my code in, such that I could get my code to run BEFORE the webgate?
> 
> It won't work until the ssl connection has been negotiated, so no, not 'every' hook.
> 
> But you can use ssl_var_lookup as a much more effective method of accessing just a few
> ssl connection strings instead of populating a very long and inefficient list of every
> ssl session string (many of which are formatted and copied costing additional possibly
> unnecessary cycles).
> 
> Unless the external process requires the entire list of ssl connection related text
> strings, you shouldn't require your module's users to enable ssl envvars at all.


Hi,

Thanks for that info.  My module actually only needs the SSL_CLIENT_CERT, so I'll give it
a try to see what is the minimal (maybe none :)) SSLOptions I'll need.

Jim

Mime
View raw message