Ralf S. Engelschall ([EMAIL PROTECTED]) typed this ...
> On Fri, Jul 14, 2000, Kurt Sussman wrote:
> > I have modified mod_ssl-2.6.4 to pass configurable elements of the
> > cert as headers (instead of or in addition to putting all the cert
> > info into the environment).
>
> I'm still do not understand the whole issue and the reason for your
> change, but without a particular patch I cannot comment on it. So,
> please show us the code! ;)
OK, I didn't want to clutter the list with an issue that mmay not be
interesting to the majority of people, but since you asked...
I'm using Enhydra, a Java app framework (www.enhydra.org). There
is a module they call the Enhydra Director; it's a load balancing
and failover module that passes requests to instances of the Enhydra
application server.
The Enhydra app I'm building will run behind Apache+mod_ssl, and
I want to get the user's email address out of the certificate to
verify that the browser and the session really go together (to
avoid session hijacking), and that the user's login matches their
browser cert.
I could have tweaked the enhydra director to read the SSL vars out
of the environment, and that is still a relatively elegant option.
It seemed more generally useful, however, to allow the httpd admin
to specify (by directory) which of the environment vars should be
passed as HTTP headers. That would reduce the per-transaction load
(over writing 77 environment vars with every transaction), and
allow some flexibility for the site coders.
So, without further ado (and without apologies for the limited
comments and my lack of experience writing Apache modules), here
are the context diffs for mod_ssl-2.6.4.
*** pkg.sslmod/mod_ssl.c Tue Jul 11 14:52:20 2000
--- pkg.sslmod.new/mod_ssl.c Thu Jul 13 20:43:01 2000
***************
*** 188,195 ****
* Per-directory context configuration directives
*/
AP_DIR_CMD(Options, OPTIONS, RAW_ARGS,
! "Set one of more options to configure the SSL engine"
"(`[+-]option[=value] ...' - see manual)")
AP_DIR_CMD(RequireSSL, AUTHCFG, NO_ARGS,
"Require the SSL protocol for the per-directory context "
"(no arguments)")
--- 188,198 ----
* Per-directory context configuration directives
*/
AP_DIR_CMD(Options, OPTIONS, RAW_ARGS,
! "Set one or more options to configure the SSL engine"
"(`[+-]option[=value] ...' - see manual)")
+ AP_DIR_CMD(XHeaders, OPTIONS, RAW_ARGS,
+ "Set one or more env tags to pass as X-headers"
+ "(e.g. `SSL_TAG' becomes `X-SSL_TAG=value')")
AP_DIR_CMD(RequireSSL, AUTHCFG, NO_ARGS,
"Require the SSL protocol for the per-directory context "
"(no arguments)")
*** pkg.sslmod/mod_ssl.h Tue Jul 11 14:52:20 2000
--- pkg.sslmod.new/mod_ssl.h Thu Jul 13 20:43:01 2000
***************
*** 626,631 ****
--- 626,632 ----
char *szCipherSuite;
ssl_verify_t nVerifyClient;
int nVerifyDepth;
+ array_header *aXHeaders;
#ifdef SSL_EXPERIMENTAL_PERDIRCA
char *szCACertificatePath;
char *szCACertificateFile;
***************
*** 669,674 ****
--- 670,676 ----
const char *ssl_cmd_SSLLog(cmd_parms *, char *, char *);
const char *ssl_cmd_SSLLogLevel(cmd_parms *, char *, char *);
const char *ssl_cmd_SSLProtocol(cmd_parms *, char *, const char *);
+ const char *ssl_cmd_SSLXHeaders(cmd_parms *, SSLDirConfigRec *, char *);
const char *ssl_cmd_SSLOptions(cmd_parms *, SSLDirConfigRec *, const char *);
const char *ssl_cmd_SSLRequireSSL(cmd_parms *, SSLDirConfigRec *, char *);
const char *ssl_cmd_SSLRequire(cmd_parms *, SSLDirConfigRec *, char *);
*** pkg.sslmod/ssl_engine_config.c Tue Jul 11 14:52:20 2000
--- pkg.sslmod.new/ssl_engine_config.c Thu Jul 13 20:48:36 2000
***************
*** 305,310 ****
--- 305,311 ----
dc->nOptionsDel = SSL_OPT_NONE;
dc->szCipherSuite = NULL;
+ dc->aXHeaders = ap_make_array(p, 0, sizeof(char *));
dc->nVerifyClient = SSL_CVERIFY_UNSET;
dc->nVerifyDepth = UNSET;
#ifdef SSL_EXPERIMENTAL_PERDIRCA
***************
*** 347,352 ****
--- 348,354 ----
}
cfgMergeString(szCipherSuite);
+ cfgMergeArray(aXHeaders);
cfgMerge(nVerifyClient, SSL_CVERIFY_UNSET);
cfgMergeInt(nVerifyDepth);
#ifdef SSL_EXPERIMENTAL_PERDIRCA
***************
*** 902,907 ****
--- 904,926 ----
return NULL;
}
+ const char *ssl_cmd_SSLXHeaders(
+ cmd_parms *cmd, SSLDirConfigRec *dc, char *cpLine)
+ {
+ char *thisTag = ap_pstrdup(cmd->pool, cpLine);
+ /* add strings to dir array */
+ while (*(thisTag) != '\0') {
+ *(char **)ap_push_array(dc->aXHeaders) = thisTag;
+ while ((*(thisTag) != '\0') && (*(thisTag) != ' ')) thisTag++;
+ if (*thisTag == ' ') {
+ *thisTag = '\0';
+ thisTag++;
+ }
+ }
+
+ return NULL;
+ }
+
#ifdef SSL_EXPERIMENTAL_PROXY
const char *ssl_cmd_SSLProxyProtocol(
*** pkg.sslmod/ssl_engine_kernel.c Tue Jul 11 14:52:20 2000
--- pkg.sslmod.new/ssl_engine_kernel.c Thu Jul 13 20:47:18 2000
***************
*** 1249,1254 ****
--- 1249,1256 ----
table *e = r->subprocess_env;
char *var;
char *val;
+ char xtag[50] = "X-"; /* holds xheader for inserting into headers_in */
+ char **xheaderList = NULL;
STACK_OF(X509) *sk;
SSL *ssl;
int i;
***************
*** 1273,1278 ****
--- 1275,1296 ----
val = ssl_var_lookup(r->pool, r->server, r->connection, r, var);
if (!strIsEmpty(val))
ap_table_set(e, var, val);
+ }
+ }
+
+ if (dc->aXHeaders) {
+ if (dc->aXHeaders->nelts > 0) {
+ xheaderList = (char **)dc->aXHeaders->elts;
+
+ for (i = 0; i < dc->aXHeaders->nelts; i++) {
+ var = xheaderList[i];
+ val = ssl_var_lookup(r->pool, r->server, r->connection, r, var);
+ if (!strIsEmpty(val)) {
+ strcpy((xtag+2), var);
+ ap_table_set(r->headers_in, xtag, val);
+ ssl_log(r->server, SSL_LOG_TRACE, "Add SSL header: %s = %s",
+var, val);
+ }
+ }
}
}
--Kurt
----------------------------------------------------------------------
Merlot Research Group, Inc http://www.merlot.com
Software Quality and Testability Consulting [EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
