httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wr...@rowe-clan.net>
Subject Re: ssl_var_lookup snippet was Re: Confused about modules processing order...
Date Wed, 27 Jun 2012 15:48:45 GMT
On 6/26/2012 3:17 PM, ohaya@cox.net wrote:
> 
> ---- Sorin Manolache <sorinm@gmail.com> wrote: 
>> On 2012-06-26 19:56, ohaya@cox.net wrote:
>>>>> You cannot wait until mod_ssl runs its fixups, you have to hook one of
>>>>> the hooks that execute earlier than webgate's check_user_id or
>>>>> auth_checker. (You have to hook one of the hooks (1)-(4).) There, in
>>>>> your hook, you have to get yourself the values of the server
>>>>> certificates, client certificate, etc, everything that mod_ssl would
>>>>> have given you, but too late.
>>> "
>>>
>>> I guess that what I'm seeing is exactly what you said would happen, i.e., my
check_user_id hook function is being called, but none of the SSL vars are populated (since,
as you said mod_ssl doesn't populate them until the fixup phase).
>>>
>>> What mechanisms/methods could I use to get those SSL vars ("you have to get yourself
the values of the server certificates, client certificate, etc, ") at this point?
>>
>> I don't know, unfortunately. Have a look at the sources 
>> (modules/ssl/ssl_engine_kernel.c, ssl_hook_Fixup) to see how mod_ssl 
>> does it.
>>
>> Apparently mod_ssl uses ssl_var_lookup defined in ssl_engine_vars.c. 
>> Maybe you can use it in check_user_id already.
>>
>> Sorin
> 
> 
> Sorin,
> 
> THANKS for that pointer to ssl_var_lookup.  
> 
> As a very small payback (VERY small) for your help (and others), and for the record,
I put the following code (assembled from various places) in the ap_headers_early, and it seems
to work "somewhat")
> 
> 
> static apr_status_t ap_headers_early(request_rec *r)
> {
> 
> printf("In ap_headers_early\n");
> 
> printf("\n\nIn ap_headers_early: About to call ssl_var_lookup\n");
> 
> typedef char* (*ssl_var_lookup_t)(apr_pool_t*, server_rec*, conn_rec*, request_rec*,
char*);
> 
> ssl_var_lookup_t ssl_var_lookup = 0;
> 
> ssl_var_lookup = (ssl_var_lookup_t)apr_dynamic_fn_retrieve("ssl_var_lookup");
> 
> const char * foo = ssl_var_lookup(r->pool, r->server, r->connection, r, "SSL_CLIENT_CERT");
> 
> printf("In ap_headers_early: SSL_CLIENT_CERT=[%s]\n", foo);
> .
> .
> 
> and it seems to work perfectly!!
> 
> 
> Do you think that such calls would work in ANY hook?  In other words, would I be at my
leisure to use that in ANY of the module hooks?  
> 
> If so, now that that's working, where (which hook in mod_headers.c) would you recommend
putting my code in, such that I could get my code to run BEFORE the webgate?

It won't work until the ssl connection has been negotiated, so no, not 'every' hook.

But you can use ssl_var_lookup as a much more effective method of accessing just a few
ssl connection strings instead of populating a very long and inefficient list of every
ssl session string (many of which are formatted and copied costing additional possibly
unnecessary cycles).

Unless the external process requires the entire list of ssl connection related text
strings, you shouldn't require your module's users to enable ssl envvars at all.

Mime
View raw message