Re: Accessing mod_ssl information from mod_perl(2) modules

[Byron Ellacott <bj...@apnic.net>]

On Tue, 2002-07-16 at 00:39, Stas Bekman wrote:
> You are talking about mod_perl 2.0, aren't you? Please make that clear 
> upfront, preferrably in the subject of your post.

Ach, my apologies, intended to mention that.

> What do you need APR::Pool for? What are you trying to do (code sample) 
> and failing to?

sub auth_phase {
    my ($self, $r) = @_;

    my $serial = $r->subprocess_env("SSL_CLIENT_M_SERIAL");
    my ($res, $passwd) = $r->get_basic_auth_pw();
    my $user = $r->user();
    $r->log_error("Serial is $serial, passwd is $passwd, user is $user");
    return Apache::OK;
}

This is a test piece of code, hooked via

PerlAuthenHandler MyModule->auth_phase

What I want is to discover the SSL client certificate serial, which is
available in the subprocess_env in the ResponseHandler phase, but not
this early in the request.  There's also a test of the mod_ssl
FakeBasicAuth option, which incidentally appears not to work with
mod_perl handlers.

Of some interest but not much surprise is that the SSL_CLIENT_M_SERIAL
is available in subrequests of this request, generated by SSI includes.

I am led to believe that the SSL module does export some information, in
1.3 it did this via the EAPI ctx system, in 2.0 I'm not sure how it does
it.  My question is probably, "what's the replacement for EAPI if any,
and how does it work?"

> As previously mentioned here, currently if you need to know how a new 
> Apache:: or APR:: class works, your best source of information is the 
> test suite, unless you prefer to look at the source code.

That's a place I hadn't looked yet, thanks.

> The new manpages won't be written until we get the automated docs 
> generation based on httpd-2.0 header files working. There are too many 
> manpages and the API is still changing so it doesn't worth doing any 
> manual work before it gets frozen.

Makes sense.  I don't expect a lot of doc with beta software.  
Unfortunately I wasn't consulted in the decision to move to 2.0, I'm
just the one stuck with making stuff Work.

-- 
bje

Re: Accessing mod_ssl information from mod_perl(2) modules

[Stas Bekman <st...@stason.org>]

[...]
 > What I want is to discover the SSL client certificate serial, which
 > is available in the subprocess_env in the ResponseHandler phase, but
 > not this early in the request.  There's also a test of the mod_ssl
 > FakeBasicAuth option, which incidentally appears not to work with
 > mod_perl handlers.
 >
 > Of some interest but not much surprise is that the
 > SSL_CLIENT_M_SERIAL is available in subrequests of this request,
 > generated by SSI includes.
 >
 > I am led to believe that the SSL module does export some information,
 >  in 1.3 it did this via the EAPI ctx system, in 2.0 I'm not sure how
 > it does it.  My question is probably, "what's the replacement for
 > EAPI if any, and how does it work?"

It seems that the question is really about how mod_ssl works in 2.0.
I suggest that you figure out how to accomplish what you want in a C
module and then the mod_perl solution will be obvious (I believe). i.e., 
I suggest that you generalize this question and ask it in the mod_ssl 
forum (not sure which is which in 2.0) and then report back to us (or 
even contribute it as a section to our docs for others to re-use).

e.g. with the 2.0 mod_ssl, how do I get the SSL client certificate 
serial in the auth phase (without even mentioning mod_perl so not to 
confuse those who know), which is available in the subprocess_env in the 
response phase, but not this early in the request.

__________________________________________________________________
Stas Bekman            JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/     mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org   http://ticketmaster.com