Return-Path: X-Original-To: apmail-httpd-modules-dev-archive@minotaur.apache.org Delivered-To: apmail-httpd-modules-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 04F47967B for ; Mon, 18 Jun 2012 02:23:13 +0000 (UTC) Received: (qmail 52407 invoked by uid 500); 18 Jun 2012 02:23:12 -0000 Delivered-To: apmail-httpd-modules-dev-archive@httpd.apache.org Received: (qmail 52349 invoked by uid 500); 18 Jun 2012 02:23:12 -0000 Mailing-List: contact modules-dev-help@httpd.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: modules-dev@httpd.apache.org Delivered-To: mailing list modules-dev@httpd.apache.org Received: (qmail 52340 invoked by uid 99); 18 Jun 2012 02:23:12 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 18 Jun 2012 02:23:12 +0000 X-ASF-Spam-Status: No, hits=3.4 required=5.0 tests=FH_FAKE_RCVD_LINE_B,RCVD_IN_DNSWL_NONE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of ohaya@cox.net designates 68.230.241.215 as permitted sender) Received: from [68.230.241.215] (HELO eastrmfepo103.cox.net) (68.230.241.215) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 18 Jun 2012 02:23:05 +0000 Received: from eastrmimpo305.cox.net ([68.230.241.237]) by eastrmfepo103.cox.net (InterMail vM.8.01.04.00 201-2260-137-20101110) with ESMTP id <20120618022244.VVIM8874.eastrmfepo103.cox.net@eastrmimpo305.cox.net>; Sun, 17 Jun 2012 22:22:44 -0400 Received: from eastrmwml105 ([172.18.18.217]) by eastrmimpo305.cox.net with bizsmtp id PeNj1j0074h0NJL02eNjHC; Sun, 17 Jun 2012 22:22:43 -0400 X-CT-Class: Clean X-CT-Score: 0.00 X-CT-RefID: str=0001.0A020204.4FDE90F3.006D,ss=1,re=0.000,fgs=0 X-CT-Spam: 0 X-Authority-Analysis: v=1.1 cv=fwviyT8fZVRpQd55zkCzgWSn68QS98N/M43xQ8gv3PU= c=1 sm=1 a=MgQbfv0GTL8A:10 a=G8Uczd0VNMoA:10 a=X0LLrcwhTTAA:10 a=IkcTkHD0fZMA:10 a=TRy/vagDvAN6zvr8h90PzQ==:17 a=kviXuzpPAAAA:8 a=mV9VRH-2AAAA:8 a=XMvCQdCI4Ib98VjbckcA:9 a=QEXdDO2ut3YA:10 a=4vB-4DCPJfMA:10 a=TRy/vagDvAN6zvr8h90PzQ==:117 X-CM-Score: 0.00 Authentication-Results: cox.net; none Received: from 72.192.248.102 by webmail.east.cox.net; Sun, 17 Jun 2012 22:22:43 -0400 Message-ID: <20120617222243.IMCHI.126198.root@eastrmwml105> Date: Sun, 17 Jun 2012 22:22:43 -0400 From: To: modules-dev@httpd.apache.org Subject: Re: How to access client certificate PEM and incoming request headers in a module? Cc: Ben Noordhuis In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Priority: 3 (Normal) Sensitivity: Normal ---- Ben Noordhuis wrote:=20 > On Sun, Jun 17, 2012 at 9:46 PM, wrote: > > Hi, > > > > I am starting to look into implementing an Apache module that can use i= nformation from an incoming request, including several headers and the subj= ect string from a client certificate to do authentication. > > > > I've been looking at the source for mod_auth_certificate, from https://= modules.apache.org/, as a starting point. > > > > However, it looks like the way that mod_auth_certificate works is that = it requires that there's an SSLUserName directive to put the client certifi= cate DN into the Apache REMOTE_USER attribute, whereas I need the entire PE= M for the client cert to do authentication that I'm trying to do. > > > > So I was wondering if it's possible for a module to access the SSL_CLIE= NT_S_DN and SSL_CLIENT_CERT environment variables, and if so, how? >=20 > They should be set in r->subprocess_env provided `SSLOptions > +StdEnvVars +ExportCertData` is set in the server or per-directory > config. >=20 > > Also, as mentioned my module would need to access several HTTP headers = that are in the incoming requests. =C2=A0How can it do that? >=20 > Look them up with `apr_table_get(r->headers_in, "X-Header-Name")`. Ben, Thanks. I'll give those a try. We already the SSLOptions set as you menti= oned, so assuming that I can figure out the coding (it's been a long time s= ince I've done C/C++), that should work :)... Jim