On Thu, May 20, 1999, Andrea e Luca Giacobazzi wrote:
> I made a patch to ssl_engine_kernel.c in Apache 1.3.6 + mod_ssl-2.2.8-1.3.6
> + openssl-0.9.2b.tar.gz for verifying client certificate status with LDAPv2
> directory during client authentication, using OCSP API made by Tom Titchener
> for OpenSSL.
> The function search in LDAP the client certificate, by e-mail, and I assumed
> that if the cert is found in LDAP the status is 'good' (right just for our
> internal use), instead is 'revoked' or 'unauthorized'. It add an env var
> containing the cert status.
>
> I attach a diff file to apply the patch, with 'patch' command:
> patch -p1 original_file cert_status_patch.diff
>
> Hope is usefull to somebody, accept any critics or suggestion.
Thanks for working on an extensions for mod_ssl. I've still not tried out the
stuff myself under runtime, but at least I've a few comments for you after
I've looked at your source. When you can take these into account your patches
will be even better.
o The whole fperr stuff is not needed (and acceptable). mod_ssl provides a
really sophisticated logging mechanism through ssl_log() which the user can
configure and adjust. You should use this, please. Additionally you use
insecure things ``fperr = fopen(..'' without error checks. And the use of
a static fperr isn't a good idea, too. mod_ssl uses no global variables
for thread safety and other reasons.
o whenever you do I/O you should use the ap_fopen() and friends
functions and not directly stdio stuff. Additionally unsafe
things like sprintf() has to be replaced with ap_snprintf().
o hard-coded things like ``fopen("/m/home/giacob/...'' or ``ldapservers =
"callisto.comune.modena.it:3389"'' are not acceptable. Every used
parameter either has to be a generic one which fits all situations or has
to be user configurable via an Apache config directive.
o additionally when you want that this code is finally considered to be
included into mod_ssl at some time it would be helpful when you already
change its coding style to the Apache coding style (mostly K&R style). For
details see http://dev.apache.org/styleguide.html and all other Apache
source code.
So, in short: I think the stuff is still not ready for inclusion, but when you
work on the above points it will be a very useful extension in the future.
Thanks for your efforts.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
