mod_perl2 and SSL

mod_perl2 and SSL

am 06.03.2006 16:20:31 von Dominique Launay

Hi,

I'm trying to authenticate people with their certificate and reuse their
email address for authorization in an Apache2 authzhandler.

Authentication works fine. I know how to do that.

But I can't obtain SSL env vars : $r->subprocess_env works and populate
%ENV hash table but %ENV doesn't contain any SSL vars such as
SSL_CLIENT_S_DN_Email .

But a printenv.cgi script shows me that these env vars are defined.

Any idea ?

Thanks by advance.

Dominique

Re: mod_perl2 and SSL

am 08.03.2006 01:25:49 von Big and Blue

Dominique Launay wrote:

> But I can't obtain SSL env vars : $r->subprocess_env works and populate
> %ENV hash table but %ENV doesn't contain any SSL vars such as
> SSL_CLIENT_S_DN_Email .

Since you're authenticating and authorizing mod_perl doesn't have
environment variables set (that only gets done at the handler stage, if at
all).

Sorry that isn't an *answer* to your problem, but at least indicates
what it is.



--
Just because I've written it doesn't mean that
either you or I have to believe it.

Re: mod_perl2 and SSL

am 08.03.2006 12:13:35 von Dominique Launay

Le Wed, 08 Mar 2006 00:25:49 +0000, Big and Blue a écrit :

> Dominique Launay wrote:
>
>> But I can't obtain SSL env vars : $r->subprocess_env works and populate
>> %ENV hash table but %ENV doesn't contain any SSL vars such as
>> SSL_CLIENT_S_DN_Email .
>
> Since you're authenticating and authorizing mod_perl doesn't have
> environment variables set (that only gets done at the handler stage, if at
> all).
>
> Sorry that isn't an *answer* to your problem, but at least indicates
> what it is.
OK but what I don't understand is that I can obtain other env vars
(REMOTE_USER, HTTP_USER_AGENT...). So if SSL is enabled, why can't i acces
SSL env vars ?

When I use a first authentication module (getting REMOTE_USER env var), i
can acces this var with my authorization module.

I hope i can find a solution. But their is not lot of people using client
certificate https authentication. I'm afraid i have to find a solution by
myself.


m

Re: mod_perl2 and SSL

am 09.03.2006 01:28:13 von Big and Blue

Big and Blue wrote:
>
> Since you're authenticating and authorizing mod_perl doesn't have
> environment variables set (that only gets done at the handler stage, if
> at all).
>
> Sorry that isn't an *answer* to your problem, but at least indicates
> what it is.

But this may be the answer (I knew I had it floating around in a
comment at work somewhere...).

> This requirement could actually be removed by running a sub-request
> to get the final environment info. Eg: (from O'Reilly's Writing Apache
> Modules p328, ISBN 1-56592-567-X, Example 6-17):
>
> my $subr = $r->lookup_uri($r->uri);
> my $ssl_proto = $subr->subprocess_env('SSL_PROTOCOL');
>
> $ssl_proto will be set to, eg:, SSLv3 if we are using SSL, otherwise it
> will be undefined.



--
Just because I've written it doesn't mean that
either you or I have to believe it.

Re: mod_perl2 and SSL

am 09.03.2006 20:04:44 von Big and Blue

Dominique Launay wrote:
>
> OK but what I don't understand is that I can obtain other env vars
> (REMOTE_USER, HTTP_USER_AGENT...). So if SSL is enabled, why can't i acces
> SSL env vars ?

For that you'll have to read the mod_ssl code. It specifically (IIRC)
doesn't set environment variables at the start, but does add a
fixup_handler(? - whatever comes just before the ResponseHandler) to do the
work just before you generate content. (Could be wrong - it over a year
since I did this check...).

> When I use a first authentication module (getting REMOTE_USER env var), i
> can acces this var with my authorization module.

Such modules usually set the value then as they only have one to set.

> I hope i can find a solution. But their is not lot of people using client
> certificate https authentication. I'm afraid i have to find a solution by
> myself.

I posted one as a follow-up to my original post. I think it should
work for you.

--
Just because I've written it doesn't mean that
either you or I have to believe it.

Re: mod_perl2 and SSL

am 10.03.2006 07:52:06 von Dominique Launay

Le Thu, 09 Mar 2006 19:04:44 +0000, Big and Blue a écrit :

> Dominique Launay wrote:
>>
>> OK but what I don't understand is that I can obtain other env vars
>> (REMOTE_USER, HTTP_USER_AGENT...). So if SSL is enabled, why can't i acces
>> SSL env vars ?
>
> For that you'll have to read the mod_ssl code. It specifically (IIRC)
> doesn't set environment variables at the start, but does add a
> fixup_handler(? - whatever comes just before the ResponseHandler) to do the
> work just before you generate content. (Could be wrong - it over a year
> since I did this check...).

I'll try to read.
>
> I posted one as a follow-up to my original post. I think it should
> work for you.
Thank you

Re: mod_perl2 and SSL

am 13.03.2006 12:03:57 von Dominique Launay

Le Thu, 09 Mar 2006 00:28:13 +0000, Big and Blue a écrit :
>> my $subr = $r->lookup_uri($r->uri);
>> $ssl_proto will be set to, eg:, SSLv3 if we are using SSL, otherwise it
>> will be undefined.
Thanks a lot.
My code is now

my $subr = $r->lookup_uri($r->uri);
my $ssl_email = $subr->subprocess_env('SSL_CLIENT_S_DN_Email');

and it works.

I've been trying it with mod_perl1.99 and didn't seem to work. That's why
i was programming in another way.