Apache2: mod_rewrite and mod_ssl interaction changed?

I am in the process of upgrading a site from 1.3.x to 2.0.47, and have
encountered a (perhaps obscure) problem.

For mod_rewrite I sometimes need to extract and/or test client
certificate field values.

Under 1.3.27/2.8.14 and earlier I could use - (at virtual host level):

===================

SSLEngine on
....
SSLVerifyClientRequire
SSLOptions +StdEnvVars +StrictRequire
....
RewriteEngine on
RewriteLogLevel 9
....
RewriteCond %{LA_U:SSL_CLIENT_S_DN} (..*)

====================

As of apache 2, the rewrite log shows that the SSL_X environment
variables (and the HTTPS variable) are not being set during the lookahead.

Can anyone think what might have changed that would cause this? e.g. any
changes in the ssl fixup-phase hook handler and sub-request handling?

Better still, can anyone think of a way to force the variable processing
in the subrequest?

Thanks & regards,
James Collier




____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Apache2: mod_rewrite and mod_ssl interaction changed?

On Mon, Jul 28, 2003 at 10:09:49PM +1200, James Collier wrote:
> I am in the process of upgrading a site from 1.3.x to 2.0.47, and have
> encountered a (perhaps obscure) problem.
>
> For mod_rewrite I sometimes need to extract and/or test client
> certificate field values.
>
> Under 1.3.27/2.8.14 and earlier I could use - (at virtual host level):
>
> ===================
>
> SSLEngine on
> ...
> SSLVerifyClientRequire
> SSLOptions +StdEnvVars +StrictRequire
> ...
> RewriteEngine on
> RewriteLogLevel 9
> ...
> RewriteCond %{LA_U:SSL_CLIENT_S_DN} (..*)
>
> ====================
>
> As of apache 2, the rewrite log shows that the SSL_X environment
> variables (and the HTTPS variable) are not being set during the lookahead.
>
> Can anyone think what might have changed that would cause this? e.g. any
> changes in the ssl fixup-phase hook handler and sub-request handling?

Yes, a few people have reported this problem... the mod_ssl fixup
handler is running to late to be useful like this in 2.0: you should be
able to fix it as below:

Index: mod_ssl.c
============================================================ =======
RCS file: /store/cvs/root/httpd-2.0/modules/ssl/mod_ssl.c,v
retrieving revision 1.86
diff -u -r1.86 mod_ssl.c
--- mod_ssl.c 24 Jun 2003 21:40:32 -0000 1.86
+++ mod_ssl.c 28 Jul 2003 10:17:26 -0000
@@ -508,7 +508,7 @@
ap_hook_child_init (ssl_init_Child, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_translate_name(ssl_hook_Translate, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_check_user_id (ssl_hook_UserCheck, NULL,NULL, APR_HOOK_FIRST);
- ap_hook_fixups (ssl_hook_Fixup, NULL,NULL, APR_HOOK_MIDDLE);
+ ap_hook_fixups (ssl_hook_Fixup, NULL,NULL, APR_HOOK_REALLY_FIRST);
ap_hook_access_checker(ssl_hook_Access, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_auth_checker (ssl_hook_Auth, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_post_read_request(ssl_hook_ReadReq, NULL,NULL, APR_HOOK_MIDDLE);


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Apache2: mod_rewrite and mod_ssl interaction changed?

Joe Orton wrote:
> On Mon, Jul 28, 2003 at 10:09:49PM +1200, James Collier wrote:
>
>>I am in the process of upgrading a site from 1.3.x to 2.0.47, and have
>>encountered a (perhaps obscure) problem.
>>
>>For mod_rewrite I sometimes need to extract and/or test client
>>certificate field values.
>>
>>Under 1.3.27/2.8.14 and earlier I could use - (at virtual host level):
>>
>>===================
>>
>>SSLEngine on
>>...
>>SSLVerifyClientRequire
>>SSLOptions +StdEnvVars +StrictRequire
>>...
>>RewriteEngine on
>>RewriteLogLevel 9
>>...
>>RewriteCond %{LA_U:SSL_CLIENT_S_DN} (..*)
>>
>>====================
>>
>>As of apache 2, the rewrite log shows that the SSL_X environment
>>variables (and the HTTPS variable) are not being set during the lookahead.
>>
>>Can anyone think what might have changed that would cause this? e.g. any
>>changes in the ssl fixup-phase hook handler and sub-request handling?
>
>
> Yes, a few people have reported this problem... the mod_ssl fixup
> handler is running to late to be useful like this in 2.0: you should be
> able to fix it as below:
>
> Index: mod_ssl.c
> ============================================================ =======
> RCS file: /store/cvs/root/httpd-2.0/modules/ssl/mod_ssl.c,v
> retrieving revision 1.86
> diff -u -r1.86 mod_ssl.c
> --- mod_ssl.c 24 Jun 2003 21:40:32 -0000 1.86
> +++ mod_ssl.c 28 Jul 2003 10:17:26 -0000
> @@ -508,7 +508,7 @@
> ap_hook_child_init (ssl_init_Child, NULL,NULL, APR_HOOK_MIDDLE);
> ap_hook_translate_name(ssl_hook_Translate, NULL,NULL, APR_HOOK_MIDDLE);
> ap_hook_check_user_id (ssl_hook_UserCheck, NULL,NULL, APR_HOOK_FIRST);
> - ap_hook_fixups (ssl_hook_Fixup, NULL,NULL, APR_HOOK_MIDDLE);
> + ap_hook_fixups (ssl_hook_Fixup, NULL,NULL, APR_HOOK_REALLY_FIRST);
> ap_hook_access_checker(ssl_hook_Access, NULL,NULL, APR_HOOK_MIDDLE);
> ap_hook_auth_checker (ssl_hook_Auth, NULL,NULL, APR_HOOK_MIDDLE);
> ap_hook_post_read_request(ssl_hook_ReadReq, NULL,NULL, APR_HOOK_MIDDLE);
>
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org

Many thanks for the quick response, Joe.

I have applied the proposed patch, but unfortunately it does not seem to
have fixed the problem.

I will investigate further and report back.

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Apache2: mod_rewrite and mod_ssl interaction changed?

Try this to access the SSl server variables:
%{LA-U:ENV:SSL_CLIENT_S_DN}

> > -----Original Message-----
> > From: owner-modssl-users@modssl.org
> > [mailto:owner-modssl-users@modssl.org] On Behalf Of James Collier
> > Sent: Monday, July 28, 2003 4:18 AM
> > To: modssl-users@modssl.org
> > Subject: Re: Apache2: mod_rewrite and mod_ssl interaction changed?
> >
> >
> > Joe Orton wrote:
> > > On Mon, Jul 28, 2003 at 10:09:49PM +1200, James Collier wrote:
> > >
> > >>I am in the process of upgrading a site from 1.3.x to
> > 2.0.47, and have
> > >>encountered a (perhaps obscure) problem.
> > >>
> > >>For mod_rewrite I sometimes need to extract and/or test client
> > >>certificate field values.
> > >>
> > >>Under 1.3.27/2.8.14 and earlier I could use - (at virtual
> > host level):
> > >>
> > >>===================
> > >>
> > >>SSLEngine on
> > >>...
> > >>SSLVerifyClientRequire
> > >>SSLOptions +StdEnvVars +StrictRequire
> > >>...
> > >>RewriteEngine on
> > >>RewriteLogLevel 9
> > >>...
> > >>RewriteCond %{LA_U:SSL_CLIENT_S_DN} (..*)
> > >>
> > >>====================
> > >>
> > >>As of apache 2, the rewrite log shows that the SSL_X environment
> > >>variables (and the HTTPS variable) are not being set during
> > the lookahead.
> > >>
> > >>Can anyone think what might have changed that would cause
> > this? e.g. any
> > >>changes in the ssl fixup-phase hook handler and sub-request
> > handling?
> > >
> > >
> > > Yes, a few people have reported this problem... the mod_ssl fixup
> > > handler is running to late to be useful like this in 2.0:
> > you should be
> > > able to fix it as below:
> > >
> > > Index: mod_ssl.c
> > >
> ============================================================ =======
> > > RCS file: /store/cvs/root/httpd-2.0/modules/ssl/mod_ssl.c,v
> > > retrieving revision 1.86
> > > diff -u -r1.86 mod_ssl.c
> > > --- mod_ssl.c 24 Jun 2003 21:40:32 -0000 1.86
> > > +++ mod_ssl.c 28 Jul 2003 10:17:26 -0000
> > > @@ -508,7 +508,7 @@
> > > ap_hook_child_init (ssl_init_Child,
> > NULL,NULL, APR_HOOK_MIDDLE);
> > > ap_hook_translate_name(ssl_hook_Translate,
> > NULL,NULL, APR_HOOK_MIDDLE);
> > > ap_hook_check_user_id (ssl_hook_UserCheck,
> > NULL,NULL, APR_HOOK_FIRST);
> > > - ap_hook_fixups (ssl_hook_Fixup,
> > NULL,NULL, APR_HOOK_MIDDLE);
> > > + ap_hook_fixups (ssl_hook_Fixup,
> > NULL,NULL, APR_HOOK_REALLY_FIRST);
> > > ap_hook_access_checker(ssl_hook_Access,
> > NULL,NULL, APR_HOOK_MIDDLE);
> > > ap_hook_auth_checker (ssl_hook_Auth,
> > NULL,NULL, APR_HOOK_MIDDLE);
> > > ap_hook_post_read_request(ssl_hook_ReadReq,
> > NULL,NULL, APR_HOOK_MIDDLE);
> > >
> > >
> > >
> >
> ____________________________________________________________ __________
> > > Apache Interface to OpenSSL (mod_ssl)
> > www.modssl.org
> > > User Support Mailing List
> > modssl-users@modssl.org
> > > Automated List Manager
> > majordomo@modssl.org
> >
> > Many thanks for the quick response, Joe.
> >
> > I have applied the proposed patch, but unfortunately it does
> > not seem to
> > have fixed the problem.
> >
> > I will investigate further and report back.
> >
> >
> ____________________________________________________________ __________
> > Apache Interface to OpenSSL (mod_ssl)
> www.modssl.org
> > User Support Mailing List
> modssl-users@modssl.org
> > Automated List Manager
> majordomo@modssl.org
> >
>

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Apache2: mod_rewrite and mod_ssl interaction changed?

Himanshu Soni wrote:
> Try this to access the SSl server variables:
> %{LA-U:ENV:SSL_CLIENT_S_DN}
>

Brilliant! Many thanks - that seems to work perfectly.

Not something I'd have guessed, either. In the words of Brian Moore ...
"Damned cool voodoo, but still voodoo"

-- James

>
>>>-----Original Message-----
>>>From: owner-modssl-users@modssl.org
>>>[mailto:owner-modssl-users@modssl.org] On Behalf Of James Collier
>>>Sent: Monday, July 28, 2003 4:18 AM
>>>To: modssl-users@modssl.org
>>>Subject: Re: Apache2: mod_rewrite and mod_ssl interaction changed?
>>>
>>>
>>>Joe Orton wrote:
>>>
>>>>On Mon, Jul 28, 2003 at 10:09:49PM +1200, James Collier wrote:
>>>>
>>>>
>>>>>I am in the process of upgrading a site from 1.3.x to
>>>
>>>2.0.47, and have
>>>
>>>>>encountered a (perhaps obscure) problem.
>>>>>
>>>>>For mod_rewrite I sometimes need to extract and/or test client
>>>>>certificate field values.
>>>>>
>>>>>Under 1.3.27/2.8.14 and earlier I could use - (at virtual
>>>
>>>host level):
>>>
>>>>>===================
>>>>>
>>>>>SSLEngine on
>>>>>...
>>>>>SSLVerifyClientRequire
>>>>>SSLOptions +StdEnvVars +StrictRequire
>>>>>...
>>>>>RewriteEngine on
>>>>>RewriteLogLevel 9
>>>>>...
>>>>>RewriteCond %{LA_U:SSL_CLIENT_S_DN} (..*)
>>>>>
>>>>>====================
>>>>>
>>>>>As of apache 2, the rewrite log shows that the SSL_X environment
>>>>>variables (and the HTTPS variable) are not being set during
>>>
>>>the lookahead.
>>>
>>>>>Can anyone think what might have changed that would cause
>>>
>>>this? e.g. any
>>>
>>>>>changes in the ssl fixup-phase hook handler and sub-request
>>>
>>>handling?
>>>
>>>>
>>>>Yes, a few people have reported this problem... the mod_ssl fixup
>>>>handler is running to late to be useful like this in 2.0:
>>>
>>>you should be
>>>
>>>>able to fix it as below:
>>>>
>>>>Index: mod_ssl.c
>>>>
>>
>>========================================================== =========
>>
>>>>RCS file: /store/cvs/root/httpd-2.0/modules/ssl/mod_ssl.c,v
>>>>retrieving revision 1.86
>>>>diff -u -r1.86 mod_ssl.c
>>>>--- mod_ssl.c 24 Jun 2003 21:40:32 -0000 1.86
>>>>+++ mod_ssl.c 28 Jul 2003 10:17:26 -0000
>>>>@@ -508,7 +508,7 @@
>>>> ap_hook_child_init (ssl_init_Child,
>>>
>>>NULL,NULL, APR_HOOK_MIDDLE);
>>>
>>>> ap_hook_translate_name(ssl_hook_Translate,
>>>
>>>NULL,NULL, APR_HOOK_MIDDLE);
>>>
>>>> ap_hook_check_user_id (ssl_hook_UserCheck,
>>>
>>>NULL,NULL, APR_HOOK_FIRST);
>>>
>>>>- ap_hook_fixups (ssl_hook_Fixup,
>>>
>>>NULL,NULL, APR_HOOK_MIDDLE);
>>>
>>>>+ ap_hook_fixups (ssl_hook_Fixup,
>>>
>>>NULL,NULL, APR_HOOK_REALLY_FIRST);
>>>
>>>> ap_hook_access_checker(ssl_hook_Access,
>>>
>>>NULL,NULL, APR_HOOK_MIDDLE);
>>>
>>>> ap_hook_auth_checker (ssl_hook_Auth,
>>>
>>>NULL,NULL, APR_HOOK_MIDDLE);
>>>
>>>> ap_hook_post_read_request(ssl_hook_ReadReq,
>>>
>>>NULL,NULL, APR_HOOK_MIDDLE);
>>>
>>>>
>>>>
>>__________________________________________________________ ____________
>>
>>>
>>>Many thanks for the quick response, Joe.
>>>
>>>I have applied the proposed patch, but unfortunately it does
>>>not seem to
>>>have fixed the problem.
>>>
>>>I will investigate further and report back.
>>>
>>>
>>
>>__________________________________________________________ ____________
>>
>>>Apache Interface to OpenSSL (mod_ssl)
>>
>>www.modssl.org
>>
>>>User Support Mailing List
>>
>> modssl-users@modssl.org
>>
>>>Automated List Manager
>>
>>majordomo@modssl.org
>>
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org