On Tue, Aug 16, 2005 at 04:45:41PM +0100, David Reid wrote: > Joe Orton wrote: > > On Mon, Aug 15, 2005 at 02:36:18PM +0100, Joe Orton wrote: > > > >>I just went to write a test case for the SetEnvIf function, and there > >>seems to be a rather annoying fundamental problem: the match_headers > >>hooks runs too early to be useful for this when doing per-dir client > >>cert negotiation. > > > > > > I can't see any simple way round this, and I don't think this feature > > should go in 2.2 unless this can be solved. Any ideas? > > I've not looked at it in detail, so would have to dig through the code. > Care to post your test case?
Well, try testing it in any configuration with "SSLVerifyClient require" in Directory or Location context rather than in the vhost context. httpd-test test case: mkdir t/htdocs/modules/setenvif/ssl + applying Index: t/conf/extra.conf.in =================================================================== --- t/conf/extra.conf.in (revision 231019) +++ t/conf/extra.conf.in (working copy) @@ -358,6 +358,11 @@ Options +Includes AllowOverride All </Directory> + + <Directory @SERVERROOT@/htdocs/modules/setenvif/ssl> + Options +Includes + AllowOverride All + </Directory> </IfModule> ## Index: t/htdocs/modules/setenvif/ssl/.htaccess =================================================================== --- t/htdocs/modules/setenvif/ssl/.htaccess (revision 0) +++ t/htdocs/modules/setenvif/ssl/.htaccess (revision 0) @@ -0,0 +1 @@ +SetEnvIf SSL_PeerExtList("2.16.840.1.113730.1.13") "(.*)" NETSCAPE_COMMENT=$1 Property changes on: t/htdocs/modules/setenvif/ssl/.htaccess ___________________________________________________________________ Name: svn:eol-style + native Index: t/htdocs/modules/setenvif/ssl/peerextlist.shtml =================================================================== --- t/htdocs/modules/setenvif/ssl/peerextlist.shtml (revision 0) +++ t/htdocs/modules/setenvif/ssl/peerextlist.shtml (revision 0) @@ -0,0 +1 @@ +0:<!--#echo var="NETSCAPE_COMMENT"--> Property changes on: t/htdocs/modules/setenvif/ssl/peerextlist.shtml ___________________________________________________________________ Name: svn:eol-style + native Index: t/ssl/setenvif.t =================================================================== --- t/ssl/setenvif.t (revision 0) +++ t/ssl/setenvif.t (revision 0) @@ -0,0 +1,21 @@ +use strict; +use warnings FATAL => 'all'; + +use Apache::Test; +use Apache::TestRequest; +use Apache::TestUtil; + +plan tests => 2, need 'setenvif', need_min_apache_version("2.1.6"); + +Apache::TestRequest::scheme("https"); + +my $r = GET("/require/asf/modules/setenvif/ssl/peerextlist.shtml", cert => 'client_ok'); + +ok t_cmp($r->code, 200, "fetched page works"); + +my $c = $r->content; + +chomp $c; + +ok t_cmp($c, "0:This Is A Comment", "Retrieve nsComment extension"); +