---- "William A. Rowe Jr." <[email protected]> wrote: > On 6/26/2012 3:17 PM, [email protected] wrote: > > > > ---- Sorin Manolache <[email protected]> wrote: > >> On 2012-06-26 19:56, [email protected] wrote: > >>>>> You cannot wait until mod_ssl runs its fixups, you have to hook one of > >>>>> the hooks that execute earlier than webgate's check_user_id or > >>>>> auth_checker. (You have to hook one of the hooks (1)-(4).) There, in > >>>>> your hook, you have to get yourself the values of the server > >>>>> certificates, client certificate, etc, everything that mod_ssl would > >>>>> have given you, but too late. > >>> " > >>> > >>> I guess that what I'm seeing is exactly what you said would happen, i.e., > >>> my check_user_id hook function is being called, but none of the SSL vars > >>> are populated (since, as you said mod_ssl doesn't populate them until the > >>> fixup phase). > >>> > >>> What mechanisms/methods could I use to get those SSL vars ("you have to > >>> get yourself the values of the server certificates, client certificate, > >>> etc, ") at this point? > >> > >> I don't know, unfortunately. Have a look at the sources > >> (modules/ssl/ssl_engine_kernel.c, ssl_hook_Fixup) to see how mod_ssl > >> does it. > >> > >> Apparently mod_ssl uses ssl_var_lookup defined in ssl_engine_vars.c. > >> Maybe you can use it in check_user_id already. > >> > >> Sorin > > > > > > Sorin, > > > > THANKS for that pointer to ssl_var_lookup. > > > > As a very small payback (VERY small) for your help (and others), and for > > the record, I put the following code (assembled from various places) in the > > ap_headers_early, and it seems to work "somewhat") > > > > > > static apr_status_t ap_headers_early(request_rec *r) > > { > > > > printf("In ap_headers_early\n"); > > > > printf("\n\nIn ap_headers_early: About to call ssl_var_lookup\n"); > > > > typedef char* (*ssl_var_lookup_t)(apr_pool_t*, server_rec*, conn_rec*, > > request_rec*, char*); > > > > ssl_var_lookup_t ssl_var_lookup = 0; > > > > ssl_var_lookup = > > (ssl_var_lookup_t)apr_dynamic_fn_retrieve("ssl_var_lookup"); > > > > const char * foo = ssl_var_lookup(r->pool, r->server, r->connection, r, > > "SSL_CLIENT_CERT"); > > > > printf("In ap_headers_early: SSL_CLIENT_CERT=[%s]\n", foo); > > . > > . > > > > and it seems to work perfectly!! > > > > > > Do you think that such calls would work in ANY hook? In other words, would > > I be at my leisure to use that in ANY of the module hooks? > > > > If so, now that that's working, where (which hook in mod_headers.c) would > > you recommend putting my code in, such that I could get my code to run > > BEFORE the webgate? > > It won't work until the ssl connection has been negotiated, so no, not > 'every' hook. > > But you can use ssl_var_lookup as a much more effective method of accessing > just a few > ssl connection strings instead of populating a very long and inefficient list > of every > ssl session string (many of which are formatted and copied costing additional > possibly > unnecessary cycles). > > Unless the external process requires the entire list of ssl connection > related text > strings, you shouldn't require your module's users to enable ssl envvars at > all.
Hi, Thanks for that info. My module actually only needs the SSL_CLIENT_CERT, so I'll give it a try to see what is the minimal (maybe none :)) SSLOptions I'll need. Jim
