httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sorin Manolache <>
Subject Re: ssl_var_lookup snippet was Re: Confused about modules processing order...
Date Tue, 26 Jun 2012 21:18:45 GMT
On 2012-06-26 22:17, wrote:
> ---- Sorin Manolache<>  wrote:
>> On 2012-06-26 19:56, wrote:
>>>>> You cannot wait until mod_ssl runs its fixups, you have to hook one of
>>>>> the hooks that execute earlier than webgate's check_user_id or
>>>>> auth_checker. (You have to hook one of the hooks (1)-(4).) There, in
>>>>> your hook, you have to get yourself the values of the server
>>>>> certificates, client certificate, etc, everything that mod_ssl would
>>>>> have given you, but too late.
>>> "
>>> I guess that what I'm seeing is exactly what you said would happen, i.e., my
check_user_id hook function is being called, but none of the SSL vars are populated (since,
as you said mod_ssl doesn't populate them until the fixup phase).
>>> What mechanisms/methods could I use to get those SSL vars ("you have to get yourself
the values of the server certificates, client certificate, etc, ") at this point?
>> I don't know, unfortunately. Have a look at the sources
>> (modules/ssl/ssl_engine_kernel.c, ssl_hook_Fixup) to see how mod_ssl
>> does it.
>> Apparently mod_ssl uses ssl_var_lookup defined in ssl_engine_vars.c.
>> Maybe you can use it in check_user_id already.
>> Sorin
> Sorin,
> THANKS for that pointer to ssl_var_lookup.
> As a very small payback (VERY small) for your help (and others), and for the record,
I put the following code (assembled from various places) in the ap_headers_early, and it seems
to work "somewhat")
> static apr_status_t ap_headers_early(request_rec *r)
> {
> printf("In ap_headers_early\n");
> printf("\n\nIn ap_headers_early: About to call ssl_var_lookup\n");
> typedef char* (*ssl_var_lookup_t)(apr_pool_t*, server_rec*, conn_rec*, request_rec*,
> ssl_var_lookup_t ssl_var_lookup = 0;
> ssl_var_lookup = (ssl_var_lookup_t)apr_dynamic_fn_retrieve("ssl_var_lookup");
> const char * foo = ssl_var_lookup(r->pool, r->server, r->connection, r, "SSL_CLIENT_CERT");
> printf("In ap_headers_early: SSL_CLIENT_CERT=[%s]\n", foo);
> .
> .
> and it seems to work perfectly!!
> Do you think that such calls would work in ANY hook?  In other words, would I be at my
leisure to use that in ANY of the module hooks?

No, it won't work in any hook, in my opinion. The availability of the 
data depends on the phase (hook) in which you run the ssl_var_lookup.

I think, though I'm not sure, that the data are gathered in the 
post_read_request hook. If so, ssl_var_lookup would work in any hook 
that is called after post_read_request.

ap_headers_early is run in post_read_request. My intuition is that 
putting your code there is slightly too early. This is because the 
directory-wide configuration of the request is not yet correctly set in 
this phase and URL rewrite rules have not yet been applied, although I 
don't know if this would affect your functionality.

I'd put the code either in header_parser or in check_user_id and I'd try 
to make sure that my check_user_id is run before webgate's check_user_id.

I'd go for header_parser as it is always run for main requests. 
check_user_id is run only when some conditions are satisfied (check the 
ap_process_request_internal in server/request.c).

If you go for check_user_id, make sure that it is run before Oracle's 
check_user_id. In order to do so, you can use APR_HOOK_FIRST 
(ap_hook_check_user_id(&my_check_user_id, NULL, NULL, APR_HOOK_FIRST)), 
or you can use something like

static const char *successor[] = {nameoftheoraclesourcefile, NULL};
ap_hook_check_user_id(&my_check_user_id, NULL, successor, APR_HOOK_MIDDLE);

(See how mod_ssl places its post_read_request _after_ mod_setenvif's in 

Also, I would not change mod_headers, I would write my own module in 
which I'd place my header_parser hook.


View raw message