On Mon, 2003-06-09 at 14:35, Geoffrey Young wrote:
> Ryan Muldoon wrote:
> > Geoffrey,
> >
> > Thanks for the explanation. Unfortunately, I think I am still a little
> > unclear as to how to proceed. If I understand you correctly, my first
> > method is completely wrongheaded.
>
> :)
>
> > (I tried this because it is how the
> > "Writing Apache Modules with Perl and C" does it. p.327)
>
> don't have my book handy to check that.
>
> > So it sounds
> > like the second way is the appropriate usage for subprocess_env(). But
> > it seems like you're saying that I shouldn't be using that at all.
>
> no, I wasn't saying that :) subprocess_env() from the main request is the
> right way to go. I was just trying to let you know that it has nothing to
> do with %ENV really.
>
Ok, cool. Thanks for the clarification ;-)
> > Specifically, here is what I'd like to get out of the environment:
> > SSL_CLIENT_S_DN_CN
> > SSL_CLIENT_S_DN_O
> > and things of that nature.
>
> ok, those are definitely setup in the subprocess_env table according to the
> code I just took a look at. however...
>
> > According to mod_ssl's documentation, these
> > are put in ENV upon processing of a client certificate.
>
> from what I can see, that's not entirely true. they are set in
> subprocess_env where they sit and wait, presumably for somebody else to call
> add_cgi_vars since mod_ssl does not (but mod_cgi and mod_perl both do).
>
> the problem you're seeing is that these variables are setup during the fixup
> phase, so in using a PerlAuthenHandler you're trying to see them too early.
>
> int ssl_hook_Fixup(request_rec *r)
> {
> SSLSrvConfigRec *sc = mySrvConfig(r->server);
> SSLDirConfigRec *dc = myDirConfig(r);
> table *e = r->subprocess_env;
> ...
> /*
> * Annotate the SSI/CGI environment with standard SSL information
> */
> /* the always present HTTPS (=HTTP over SSL) flag! */
> ap_table_set(e, "HTTPS", "on");
> /* standard SSL environment variables */
> if (dc->nOptions & SSL_OPT_STDENVVARS) {
> for (i = 0; ssl_hook_Fixup_vars[i] != NULL; i++) {
> var = (char *)ssl_hook_Fixup_vars[i];
> val = ssl_var_lookup(r->pool, r->server, r->connection, r, var);
> if (!strIsEmpty(val))
> ap_table_set(e, var, val);
> }
> }
>
> in other words, you're SOL from the current request. perhaps this is why
> the eagle book said to get them from a subrequest - presumably the
> subrequest would have them, since it runs through the fixup phase and SSL
> stuff is per-connection and not per-request.
>
Yeah, I think that was the motivation. On the upside of my current
difficulty, I'm getting to learn a lot more about how apache does
things.
> > Ideally, I'd
> > like to make which fields to extract configurable, so I don't want to
> > hard-code.
> >
> > Currently, I have
> > PerlPassEnv SSL_CLIENT_S_DN_O
> > PerlPassEnv SSL_CLIENT_S_DN_CN
> > in my httpd.conf, but it doesn't seem to make any kind of difference.
>
> don't do that. PerlPassEnv is for passing variables such as those from
> /etc/profile to the %ENV of the Apache child processes.
>
Ok, removed. Thank you very much for the in-depth replies. It is very
useful. Unfortunately any variable-reading continues to elude me. But
I really appreciate all the help!
--Ryan
