On 2012-06-26 22:17, oh...@cox.net wrote:
---- Sorin Manolache<sor...@gmail.com> wrote:
On 2012-06-26 19:56, oh...@cox.net wrote:
You cannot wait until mod_ssl runs its fixups, you have to hook one of
the hooks that execute earlier than webgate's check_user_id or
auth_checker. (You have to hook one of the hooks (1)-(4).) There, in
your hook, you have to get yourself the values of the server
certificates, client certificate, etc, everything that mod_ssl would
have given you, but too late.
"
I guess that what I'm seeing is exactly what you said would happen, i.e., my
check_user_id hook function is being called, but none of the SSL vars are
populated (since, as you said mod_ssl doesn't populate them until the fixup
phase).
What mechanisms/methods could I use to get those SSL vars ("you have to get yourself
the values of the server certificates, client certificate, etc, ") at this point?
I don't know, unfortunately. Have a look at the sources
(modules/ssl/ssl_engine_kernel.c, ssl_hook_Fixup) to see how mod_ssl
does it.
Apparently mod_ssl uses ssl_var_lookup defined in ssl_engine_vars.c.
Maybe you can use it in check_user_id already.
Sorin
Sorin,
THANKS for that pointer to ssl_var_lookup.
As a very small payback (VERY small) for your help (and others), and for the record, I
put the following code (assembled from various places) in the ap_headers_early, and it
seems to work "somewhat")
static apr_status_t ap_headers_early(request_rec *r)
{
printf("In ap_headers_early\n");
printf("\n\nIn ap_headers_early: About to call ssl_var_lookup\n");
typedef char* (*ssl_var_lookup_t)(apr_pool_t*, server_rec*, conn_rec*,
request_rec*, char*);
ssl_var_lookup_t ssl_var_lookup = 0;
ssl_var_lookup = (ssl_var_lookup_t)apr_dynamic_fn_retrieve("ssl_var_lookup");
const char * foo = ssl_var_lookup(r->pool, r->server, r->connection, r,
"SSL_CLIENT_CERT");
printf("In ap_headers_early: SSL_CLIENT_CERT=[%s]\n", foo);
.
.
and it seems to work perfectly!!
Do you think that such calls would work in ANY hook? In other words, would I
be at my leisure to use that in ANY of the module hooks?
No, it won't work in any hook, in my opinion. The availability of the
data depends on the phase (hook) in which you run the ssl_var_lookup.
I think, though I'm not sure, that the data are gathered in the
post_read_request hook. If so, ssl_var_lookup would work in any hook
that is called after post_read_request.
ap_headers_early is run in post_read_request. My intuition is that
putting your code there is slightly too early. This is because the
directory-wide configuration of the request is not yet correctly set in
this phase and URL rewrite rules have not yet been applied, although I
don't know if this would affect your functionality.
I'd put the code either in header_parser or in check_user_id and I'd try
to make sure that my check_user_id is run before webgate's check_user_id.
I'd go for header_parser as it is always run for main requests.
check_user_id is run only when some conditions are satisfied (check the
ap_process_request_internal in server/request.c).
If you go for check_user_id, make sure that it is run before Oracle's
check_user_id. In order to do so, you can use APR_HOOK_FIRST
(ap_hook_check_user_id(&my_check_user_id, NULL, NULL, APR_HOOK_FIRST)),
or you can use something like
static const char *successor[] = {nameoftheoraclesourcefile, NULL};
ap_hook_check_user_id(&my_check_user_id, NULL, successor, APR_HOOK_MIDDLE);
(See how mod_ssl places its post_read_request _after_ mod_setenvif's in
modules/ssl/mod_ssl.c)
Also, I would not change mod_headers, I would write my own module in
which I'd place my header_parser hook.
Sorin
