On Wed, Nov 17, 1999, Stefan H. Holek wrote:
> > I want to force only https to certain directories,
> > so following the example in Chapter 5 [last example],
> > <Directory /usr/local/apache/htdocs/secure>
> > RewriteEngine on
> > RewriteCond %{HTTPS} !=on
> > RewriteRule .* - [forbidden]
> > </Directory>
> >
> > still allows both http and https.
>
> I am experiencing a (somehow, possibly) related
> problem. I cannot make the following work
>
> <Directory /blah1>
> SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
> </Directory>
>
> However, this *does* work:
>
> <Directory /blah2>
> SSLRequire %{SSL_CIPHER} !~ m/^(EXP|NULL)-/
> </Directory>
>
> Using some CGIs at the proper locations I was
> able to verify the environment.
> SSL_CIPHER_USEKEYSIZE *is* 40 when I am using an
> export browser! Still, not "forbidden".
>
> Setup:
> Apache-1.3.9 + mod_ssl-2.4.8-1.3.9/OpenSSL-0.9.4 + php-3.0.12
>
> Ideas?
Yes, my fault. I assumed strcmp(3) works correctly also for number
strings. But that's not the case. Even it does a lexicographical
compare, it doesn't work for numbers (at least not for numbers of
different length!). I've now comitted the following patch for mod_ssl
2.4.9 which should fix the problem the same way a similar function
solved the problem in mod_rewrite.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
Index: ssl_expr_eval.c
===================================================================
RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/ssl_expr_eval.c,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- ssl_expr_eval.c 1999/05/01 10:06:08 1.9
+++ ssl_expr_eval.c 1999/11/24 15:33:08 1.10
@@ -70,9 +70,10 @@
** _________________________________________________________________
*/
-static BOOL ssl_expr_eval_comp(request_rec *r, ssl_expr *node);
-static char *ssl_expr_eval_word(request_rec *r, ssl_expr *node);
-static char *ssl_expr_eval_func_file(request_rec *r, char *filename);
+static BOOL ssl_expr_eval_comp(request_rec *, ssl_expr *);
+static char *ssl_expr_eval_word(request_rec *, ssl_expr *);
+static char *ssl_expr_eval_func_file(request_rec *, char *);
+static int ssl_expr_eval_strcmplex(char *, char *);
BOOL ssl_expr_eval(request_rec *r, ssl_expr *node)
{
@@ -124,22 +125,22 @@
case op_LT: {
ssl_expr *e1 = (ssl_expr *)node->node_arg1;
ssl_expr *e2 = (ssl_expr *)node->node_arg2;
- return (strcmp(ssl_expr_eval_word(r, e1), ssl_expr_eval_word(r, e2)) <
0);
+ return (ssl_expr_eval_strcmplex(ssl_expr_eval_word(r, e1),
+ssl_expr_eval_word(r, e2)) < 0);
}
case op_LE: {
ssl_expr *e1 = (ssl_expr *)node->node_arg1;
ssl_expr *e2 = (ssl_expr *)node->node_arg2;
- return (strcmp(ssl_expr_eval_word(r, e1), ssl_expr_eval_word(r, e2)) <=
0);
+ return (ssl_expr_eval_strcmplex(ssl_expr_eval_word(r, e1),
+ssl_expr_eval_word(r, e2)) <= 0);
}
case op_GT: {
ssl_expr *e1 = (ssl_expr *)node->node_arg1;
ssl_expr *e2 = (ssl_expr *)node->node_arg2;
- return (strcmp(ssl_expr_eval_word(r, e1), ssl_expr_eval_word(r, e2)) >
0);
+ return (ssl_expr_eval_strcmplex(ssl_expr_eval_word(r, e1),
+ssl_expr_eval_word(r, e2)) > 0);
}
case op_GE: {
ssl_expr *e1 = (ssl_expr *)node->node_arg1;
ssl_expr *e2 = (ssl_expr *)node->node_arg2;
- return (strcmp(ssl_expr_eval_word(r, e1), ssl_expr_eval_word(r, e2)) >=
0);
+ return (ssl_expr_eval_strcmplex(ssl_expr_eval_word(r, e1),
+ssl_expr_eval_word(r, e2)) >= 0);
}
case op_IN: {
ssl_expr *e1 = (ssl_expr *)node->node_arg1;
@@ -253,5 +254,29 @@
}
ap_pfclose(r->pool, fp);
return buf;
+}
+
+/* a variant of strcmp(3) which works correctly also for number strings */
+static int ssl_expr_eval_strcmplex(char *cpNum1, char *cpNum2)
+{
+ int i, n1, n2;
+
+ if (cpNum1 == NULL)
+ return -1;
+ if (cpNum2 == NULL)
+ return +1;
+ n1 = strlen(cpNum1);
+ n2 = strlen(cpNum2);
+ if (n1 > n2)
+ return 1;
+ if (n1 < n2)
+ return -1;
+ for (i = 0; i < n1; i++) {
+ if (cpNum1[i] > cpNum2[i])
+ return 1;
+ if (cpNum1[i] < cpNum2[i])
+ return -1;
+ }
+ return 0;
}
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
