tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jean-frederic clere <jfrederic.cl...@fujitsu-siemens.com>
Subject Re: DO NOT REPLY [Bug 4545] New: - Webapp connector seg faults under an SSL connection
Date Mon, 05 Nov 2001 16:17:05 GMT
Pier Fumagalli wrote:
> 
> GOMEZ Henri at hgomez@slib.fr wrote:
> 
> >>> It's mandatory if you want the SSL vars in the environment.
> >> However, the
> >>> information is available in the SSL context without exporting it to
> >>> environment variables. Two chunks of C code in the same process that
> >>> communicate via environment variables, rather than passed
> >> parameters, is
> >>> generally bad practice.
> >>
> >> And in fact in the same process we don't use environment
> >> variables... Look
> >> at the code and you'll "discover" that the Apache request_rec
> >> structure has
> >> a nice ap_table (r->subprocess_env) which holds all variables.
> >> Only mod_cgi
> >> converts that table into a set of environment variables...
> >>
> >> The  +StdEnvVars +ExportCertData  options in mod_ssl only tell the SSL
> >> module to fill up the r->supbrocess_env table...
> >
> > Thanks for that clarification, and you confirm that without SSLOptions
> > the ap_table won't have SSL information...
> 
> I can't "confirm" it, as I never tried (and don't have the code around),

I do confirm it:
+++
    if (dc->nOptions & SSL_OPT_STDENVVARS) {
        for (i = 0; ssl_hook_Fixup_vars[i] != NULL; i++) {
            var = (char *)ssl_hook_Fixup_vars[i];
            val = ssl_var_lookup(r->pool, r->server, r->connection, r, var);
            if (!strIsEmpty(val))
                apr_table_set(e, var, val);
        }
    }
+++ 
That is httpd-2.0/modules/ssl/ssl_engine_kernel.c, the +ExportCertData is some
lines below...

> but
> all the three (JSERV, WEBAPP and JK) rely on the table... That particular
> table is the one used by mod_cgi to prepare environment variables. Check out
> in mod_jserv, to pass some of the parameters over AJP, for backward
> compatibility, we had to call something like ap_prepare_subprocess_env
> (which sets up the "standard" CGI variables in that table), and then passed
> some of those to the servlet container...
> 
> I believe that w/o that option mod_ssl won't fill up the table, and there's
> not much you can do without them...

At least testing to null before the atoi() to prevent the core, that what I
fixed some days ago :)

> 
>     Pier
> 
> --
> To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>

--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message