Ryan Muldoon wrote:
Geoffrey,

Thanks for the explanation. Unfortunately, I think I am still a little
unclear as to how to proceed. If I understand you correctly, my first
method is completely wrongheaded.

:)


(I tried this because it is how the
"Writing Apache Modules with Perl and C" does it. p.327)

don't have my book handy to check that.


So it sounds
like the second way is the appropriate usage for subprocess_env().  But
it seems like you're saying that I shouldn't be using that at all.

no, I wasn't saying that :) subprocess_env() from the main request is the right way to go. I was just trying to let you know that it has nothing to do with %ENV really.


Specifically, here is what I'd like to get out of the environment:
SSL_CLIENT_S_DN_CN
SSL_CLIENT_S_DN_O
and things of that nature.

ok, those are definitely setup in the subprocess_env table according to the code I just took a look at. however...


According to mod_ssl's documentation, these
are put in ENV upon processing of a client certificate.

from what I can see, that's not entirely true. they are set in subprocess_env where they sit and wait, presumably for somebody else to call add_cgi_vars since mod_ssl does not (but mod_cgi and mod_perl both do).


the problem you're seeing is that these variables are setup during the fixup phase, so in using a PerlAuthenHandler you're trying to see them too early.

int ssl_hook_Fixup(request_rec *r)
{
    SSLSrvConfigRec *sc = mySrvConfig(r->server);
    SSLDirConfigRec *dc = myDirConfig(r);
    table *e = r->subprocess_env;
...
    /*
     * Annotate the SSI/CGI environment with standard SSL information
     */
    /* the always present HTTPS (=HTTP over SSL) flag! */
    ap_table_set(e, "HTTPS", "on");
    /* standard SSL environment variables */
    if (dc->nOptions & SSL_OPT_STDENVVARS) {
        for (i = 0; ssl_hook_Fixup_vars[i] != NULL; i++) {
            var = (char *)ssl_hook_Fixup_vars[i];
            val = ssl_var_lookup(r->pool, r->server, r->connection, r, var);
            if (!strIsEmpty(val))
                ap_table_set(e, var, val);
        }
    }

in other words, you're SOL from the current request. perhaps this is why the eagle book said to get them from a subrequest - presumably the subrequest would have them, since it runs through the fixup phase and SSL stuff is per-connection and not per-request.

Ideally, I'd
like to make which fields to extract configurable, so I don't want to
hard-code.


Currently, I have
PerlPassEnv SSL_CLIENT_S_DN_O
PerlPassEnv SSL_CLIENT_S_DN_CN
in my httpd.conf, but it doesn't seem to make any kind of difference.

don't do that. PerlPassEnv is for passing variables such as those from /etc/profile to the %ENV of the Apache child processes.



--Geoff




Reply via email to