I'm facing a similar problem. I'm developing a module for Apache (also IIS
and IPlanet) that should validate clients using their certificates against
a directory (LDAP).
The problem with Apache + mod_ssl is that mod_ssl does't 'export' any of
the session variables until late in the fixup stage.
I need the client certificate earlier, in the client authentication /
access control stage.
Frankly the only way I could figure to solve this problem was to patch
mod_ssl source (ssl_engine_kernel.c) to make it export the client
certificate to the request context.
I really hate to do this, as I must apply the patch and recompile mod_ssl
any place the module is installed.
I think (correct me if I'm wrong), that mod_ssl should 'export' some client
info to the request context, this way other modules can take advantage of that.
In IIS and IPlanet, you can have access to the client certificate (or
server), by using a server support function.
Please, if anyone found a workaround without modifying the mod_ssl source
I'd really appreciate it.
Thanks in advance
Diego
PS: Already mailed Ralph about this, but I know his a really busy man, so
I'm not expecting a quick response.
At 12:40 2/4/2001 +0200, you wrote:
>Hi all,
>
>New to mod_ssl I've stumled upon a very disturbing problem: I'm coding an
>Apache module that needs to know whether we have a secure (SSL) connection
>or not in the URI Translation phase. We've solved this problem on for
>example MS IIS by checking SSI/CGI environments with the standard SSL
>information (HTTPS=on). A quick look in the mod_ssl source reveals that this
>variable isn't set before the pre-run fixup phase (just before the response
>handlers), so this solution seems inadequate.
>
>So in short: How can a module check if the current request is a secure one?
>(without workarounds à la specifying secure ports in configuration files
>etc)
>
>A mod_ssl solution or even better a generic SSL solution would be soo much
>appretiated.
>
>(Apache/1.3.14, mod_ssl/2.7.2, OpenSSL/0.9.6)
>
>Regards,
>Manne Anliot
>Sweden.
>
>mailto:[EMAIL PROTECTED]
>______________________________________________________________________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List [EMAIL PROTECTED]
>Automated List Manager [EMAIL PROTECTED]
Diego Tártara
[EMAIL PROTECTED]
------------------------------------------
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
