Re: Apache2: mod_rewrite and mod_ssl interaction changed?

Mon, 28 Jul 2003 04:16:53 -0700

Joe Orton wrote:
On Mon, Jul 28, 2003 at 10:09:49PM +1200, James Collier wrote:

I am in the process of upgrading a site from 1.3.x to 2.0.47, and have
encountered a (perhaps obscure) problem.

For mod_rewrite I sometimes need to extract and/or test client
certificate field values.

Under 1.3.27/2.8.14 and earlier I could use - (at virtual host level):

===================

SSLEngine on
...
SSLVerifyClientRequire
SSLOptions +StdEnvVars +StrictRequire
...
RewriteEngine on
RewriteLogLevel 9
...
RewriteCond %{LA_U:SSL_CLIENT_S_DN} (..*)

====================

As of apache 2, the rewrite log shows that the SSL_X environment
variables (and the HTTPS variable) are not being set during the lookahead.

Can anyone think what might have changed that would cause this? e.g. any
changes in the ssl fixup-phase hook handler and sub-request handling?



Yes, a few people have reported this problem... the mod_ssl fixup
handler is running to late to be useful like this in 2.0: you should be
able to fix it as below:

Index: mod_ssl.c
===================================================================
RCS file: /store/cvs/root/httpd-2.0/modules/ssl/mod_ssl.c,v
retrieving revision 1.86
diff -u -r1.86 mod_ssl.c
--- mod_ssl.c   24 Jun 2003 21:40:32 -0000      1.86
+++ mod_ssl.c   28 Jul 2003 10:17:26 -0000
@@ -508,7 +508,7 @@
     ap_hook_child_init    (ssl_init_Child,         NULL,NULL, APR_HOOK_MIDDLE);
     ap_hook_translate_name(ssl_hook_Translate,     NULL,NULL, APR_HOOK_MIDDLE);
     ap_hook_check_user_id (ssl_hook_UserCheck,     NULL,NULL, APR_HOOK_FIRST);
-    ap_hook_fixups        (ssl_hook_Fixup,         NULL,NULL, APR_HOOK_MIDDLE);
+    ap_hook_fixups        (ssl_hook_Fixup,         NULL,NULL, APR_HOOK_REALLY_FIRST);
     ap_hook_access_checker(ssl_hook_Access,        NULL,NULL, APR_HOOK_MIDDLE);
     ap_hook_auth_checker  (ssl_hook_Auth,          NULL,NULL, APR_HOOK_MIDDLE);
     ap_hook_post_read_request(ssl_hook_ReadReq,    NULL,NULL, APR_HOOK_MIDDLE);


______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Many thanks for the quick response, Joe.

I have applied the proposed patch, but unfortunately it does not seem to have fixed the problem.

I will investigate further and report back.

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to