---- Sorin Manolache <sor...@gmail.com> wrote:
> On 2012-06-26 19:56, oh...@cox.net wrote:
> >>> You cannot wait until mod_ssl runs its fixups, you have to hook one of
> >>> the hooks that execute earlier than webgate's check_user_id or
> >>> auth_checker. (You have to hook one of the hooks (1)-(4).) There, in
> >>> your hook, you have to get yourself the values of the server
> >>> certificates, client certificate, etc, everything that mod_ssl would
> >>> have given you, but too late.
> > "
> >
> > I guess that what I'm seeing is exactly what you said would happen, i.e.,
> > my check_user_id hook function is being called, but none of the SSL vars
> > are populated (since, as you said mod_ssl doesn't populate them until the
> > fixup phase).
> >
> > What mechanisms/methods could I use to get those SSL vars ("you have to get
> > yourself the values of the server certificates, client certificate, etc, ")
> > at this point?
>
> I don't know, unfortunately. Have a look at the sources
> (modules/ssl/ssl_engine_kernel.c, ssl_hook_Fixup) to see how mod_ssl
> does it.
>
> Apparently mod_ssl uses ssl_var_lookup defined in ssl_engine_vars.c.
> Maybe you can use it in check_user_id already.
>
> Sorin
Sorin,
THANKS for that pointer to ssl_var_lookup.
As a very small payback (VERY small) for your help (and others), and for the
record, I put the following code (assembled from various places) in the
ap_headers_early, and it seems to work "somewhat")
static apr_status_t ap_headers_early(request_rec *r)
{
printf("In ap_headers_early\n");
printf("\n\nIn ap_headers_early: About to call ssl_var_lookup\n");
typedef char* (*ssl_var_lookup_t)(apr_pool_t*, server_rec*, conn_rec*,
request_rec*, char*);
ssl_var_lookup_t ssl_var_lookup = 0;
ssl_var_lookup = (ssl_var_lookup_t)apr_dynamic_fn_retrieve("ssl_var_lookup");
const char * foo = ssl_var_lookup(r->pool, r->server, r->connection, r,
"SSL_CLIENT_CERT");
printf("In ap_headers_early: SSL_CLIENT_CERT=[%s]\n", foo);
.
.
and it seems to work perfectly!!
Do you think that such calls would work in ANY hook? In other words, would I
be at my leisure to use that in ANY of the module hooks?
If so, now that that's working, where (which hook in mod_headers.c) would you
recommend putting my code in, such that I could get my code to run BEFORE the
webgate?
Thanks again!!
Jim
