ssl_var_lookup snippet was Re: Confused about modules processing order...

[oh...@cox.net]

---- Sorin Manolache <so...@gmail.com> wrote: 
> On 2012-06-26 19:56, ohaya@cox.net wrote:
> >>> You cannot wait until mod_ssl runs its fixups, you have to hook one of
> >>> the hooks that execute earlier than webgate's check_user_id or
> >>> auth_checker. (You have to hook one of the hooks (1)-(4).) There, in
> >>> your hook, you have to get yourself the values of the server
> >>> certificates, client certificate, etc, everything that mod_ssl would
> >>> have given you, but too late.
> > "
> >
> > I guess that what I'm seeing is exactly what you said would happen, i.e., my check_user_id hook function is being called, but none of the SSL vars are populated (since, as you said mod_ssl doesn't populate them until the fixup phase).
> >
> > What mechanisms/methods could I use to get those SSL vars ("you have to get yourself the values of the server certificates, client certificate, etc, ") at this point?
> 
> I don't know, unfortunately. Have a look at the sources 
> (modules/ssl/ssl_engine_kernel.c, ssl_hook_Fixup) to see how mod_ssl 
> does it.
> 
> Apparently mod_ssl uses ssl_var_lookup defined in ssl_engine_vars.c. 
> Maybe you can use it in check_user_id already.
> 
> Sorin


Sorin,

THANKS for that pointer to ssl_var_lookup.  

As a very small payback (VERY small) for your help (and others), and for the record, I put the following code (assembled from various places) in the ap_headers_early, and it seems to work "somewhat")


static apr_status_t ap_headers_early(request_rec *r)
{

printf("In ap_headers_early\n");

printf("\n\nIn ap_headers_early: About to call ssl_var_lookup\n");

typedef char* (*ssl_var_lookup_t)(apr_pool_t*, server_rec*, conn_rec*, request_rec*, char*);

ssl_var_lookup_t ssl_var_lookup = 0;

ssl_var_lookup = (ssl_var_lookup_t)apr_dynamic_fn_retrieve("ssl_var_lookup");

const char * foo = ssl_var_lookup(r->pool, r->server, r->connection, r, "SSL_CLIENT_CERT");

printf("In ap_headers_early: SSL_CLIENT_CERT=[%s]\n", foo);
.
.

and it seems to work perfectly!!


Do you think that such calls would work in ANY hook?  In other words, would I be at my leisure to use that in ANY of the module hooks?  

If so, now that that's working, where (which hook in mod_headers.c) would you recommend putting my code in, such that I could get my code to run BEFORE the webgate?

Thanks again!!

Jim

Re: ssl_var_lookup snippet was Re: Confused about modules processing order...

[oh...@cox.net]

---- Sorin Manolache <so...@gmail.com> wrote: 
> On 2012-06-26 22:17, ohaya@cox.net wrote:
> >
> > ---- Sorin Manolache<so...@gmail.com>  wrote:
> >> On 2012-06-26 19:56, ohaya@cox.net wrote:
> >>>>> You cannot wait until mod_ssl runs its fixups, you have to hook one of
> >>>>> the hooks that execute earlier than webgate's check_user_id or
> >>>>> auth_checker. (You have to hook one of the hooks (1)-(4).) There, in
> >>>>> your hook, you have to get yourself the values of the server
> >>>>> certificates, client certificate, etc, everything that mod_ssl would
> >>>>> have given you, but too late.
> >>> "
> >>>
> >>> I guess that what I'm seeing is exactly what you said would happen, i.e., my check_user_id hook function is being called, but none of the SSL vars are populated (since, as you said mod_ssl doesn't populate them until the fixup phase).
> >>>
> >>> What mechanisms/methods could I use to get those SSL vars ("you have to get yourself the values of the server certificates, client certificate, etc, ") at this point?
> >>
> >> I don't know, unfortunately. Have a look at the sources
> >> (modules/ssl/ssl_engine_kernel.c, ssl_hook_Fixup) to see how mod_ssl
> >> does it.
> >>
> >> Apparently mod_ssl uses ssl_var_lookup defined in ssl_engine_vars.c.
> >> Maybe you can use it in check_user_id already.
> >>
> >> Sorin
> >
> >
> > Sorin,
> >
> > THANKS for that pointer to ssl_var_lookup.
> >
> > As a very small payback (VERY small) for your help (and others), and for the record, I put the following code (assembled from various places) in the ap_headers_early, and it seems to work "somewhat")
> >
> >
> > static apr_status_t ap_headers_early(request_rec *r)
> > {
> >
> > printf("In ap_headers_early\n");
> >
> > printf("\n\nIn ap_headers_early: About to call ssl_var_lookup\n");
> >
> > typedef char* (*ssl_var_lookup_t)(apr_pool_t*, server_rec*, conn_rec*, request_rec*, char*);
> >
> > ssl_var_lookup_t ssl_var_lookup = 0;
> >
> > ssl_var_lookup = (ssl_var_lookup_t)apr_dynamic_fn_retrieve("ssl_var_lookup");
> >
> > const char * foo = ssl_var_lookup(r->pool, r->server, r->connection, r, "SSL_CLIENT_CERT");
> >
> > printf("In ap_headers_early: SSL_CLIENT_CERT=[%s]\n", foo);
> > .
> > .
> >
> > and it seems to work perfectly!!
> >
> >
> > Do you think that such calls would work in ANY hook?  In other words, would I be at my leisure to use that in ANY of the module hooks?
> 
> No, it won't work in any hook, in my opinion. The availability of the 
> data depends on the phase (hook) in which you run the ssl_var_lookup.
> 
> I think, though I'm not sure, that the data are gathered in the 
> post_read_request hook. If so, ssl_var_lookup would work in any hook 
> that is called after post_read_request.
> 
> ap_headers_early is run in post_read_request. My intuition is that 
> putting your code there is slightly too early. This is because the 
> directory-wide configuration of the request is not yet correctly set in 
> this phase and URL rewrite rules have not yet been applied, although I 
> don't know if this would affect your functionality.
> 
> I'd put the code either in header_parser or in check_user_id and I'd try 
> to make sure that my check_user_id is run before webgate's check_user_id.
> 
> I'd go for header_parser as it is always run for main requests. 
> check_user_id is run only when some conditions are satisfied (check the 
> ap_process_request_internal in server/request.c).
> 
> If you go for check_user_id, make sure that it is run before Oracle's 
> check_user_id. In order to do so, you can use APR_HOOK_FIRST 
> (ap_hook_check_user_id(&my_check_user_id, NULL, NULL, APR_HOOK_FIRST)), 
> or you can use something like
> 
> static const char *successor[] = {nameoftheoraclesourcefile, NULL};
> ap_hook_check_user_id(&my_check_user_id, NULL, successor, APR_HOOK_MIDDLE);
> 
> (See how mod_ssl places its post_read_request _after_ mod_setenvif's in 
> modules/ssl/mod_ssl.c)
> 
> Also, I would not change mod_headers, I would write my own module in 
> which I'd place my header_parser hook.
> 
> Sorin


Hi Sorin,

FYI, it looks like that ssl_var_lookup() call DOES work, even in the post_read_request/ap_headers_early hook!!

I moved the code that I had before in the insert_header hook to the post_read_request hook, then modified it to do the ssl_var_lookup() call to get the SSL_CLIENT_CERT PEM rather than getting it from r->subprocess_env.

I didn't describe what I'm trying to do clearly earlier with this module, but basically, with my module, I'm trying to intercept the Apache request processing and, in my module, get a SSO-type cookie/token that, normally, the webgate looks for to determine if the user has been previously authenticated, and inject that cookie into the request.  

Right now, as I said, my code is in the post_read_request hook, and it's working (thanks in large part to your help!), but only to a point.  It's able to get the cookie, and inject it into the request, and then, I *think* the webgate is doing its processing.

The problem I'm now having is that I end up getting 403/Forbidden response from Apache after all of that.  I'm not quite sure why yet.

If I disable the webgate, everything works ok.  

Also, this is a prototype.  My intention is that if I can get it working, I'd implement a new module from scratch, as you recommended, but I need to get this prototype working first, I think....

Thanks,
Jim

Re: ssl_var_lookup snippet was Re: Confused about modules processing order...

[Sorin Manolache <so...@gmail.com>]

On 2012-06-26 22:17, ohaya@cox.net wrote:
>
> ---- Sorin Manolache<so...@gmail.com>  wrote:
>> On 2012-06-26 19:56, ohaya@cox.net wrote:
>>>>> You cannot wait until mod_ssl runs its fixups, you have to hook one of
>>>>> the hooks that execute earlier than webgate's check_user_id or
>>>>> auth_checker. (You have to hook one of the hooks (1)-(4).) There, in
>>>>> your hook, you have to get yourself the values of the server
>>>>> certificates, client certificate, etc, everything that mod_ssl would
>>>>> have given you, but too late.
>>> "
>>>
>>> I guess that what I'm seeing is exactly what you said would happen, i.e., my check_user_id hook function is being called, but none of the SSL vars are populated (since, as you said mod_ssl doesn't populate them until the fixup phase).
>>>
>>> What mechanisms/methods could I use to get those SSL vars ("you have to get yourself the values of the server certificates, client certificate, etc, ") at this point?
>>
>> I don't know, unfortunately. Have a look at the sources
>> (modules/ssl/ssl_engine_kernel.c, ssl_hook_Fixup) to see how mod_ssl
>> does it.
>>
>> Apparently mod_ssl uses ssl_var_lookup defined in ssl_engine_vars.c.
>> Maybe you can use it in check_user_id already.
>>
>> Sorin
>
>
> Sorin,
>
> THANKS for that pointer to ssl_var_lookup.
>
> As a very small payback (VERY small) for your help (and others), and for the record, I put the following code (assembled from various places) in the ap_headers_early, and it seems to work "somewhat")
>
>
> static apr_status_t ap_headers_early(request_rec *r)
> {
>
> printf("In ap_headers_early\n");
>
> printf("\n\nIn ap_headers_early: About to call ssl_var_lookup\n");
>
> typedef char* (*ssl_var_lookup_t)(apr_pool_t*, server_rec*, conn_rec*, request_rec*, char*);
>
> ssl_var_lookup_t ssl_var_lookup = 0;
>
> ssl_var_lookup = (ssl_var_lookup_t)apr_dynamic_fn_retrieve("ssl_var_lookup");
>
> const char * foo = ssl_var_lookup(r->pool, r->server, r->connection, r, "SSL_CLIENT_CERT");
>
> printf("In ap_headers_early: SSL_CLIENT_CERT=[%s]\n", foo);
> .
> .
>
> and it seems to work perfectly!!
>
>
> Do you think that such calls would work in ANY hook?  In other words, would I be at my leisure to use that in ANY of the module hooks?

No, it won't work in any hook, in my opinion. The availability of the 
data depends on the phase (hook) in which you run the ssl_var_lookup.

I think, though I'm not sure, that the data are gathered in the 
post_read_request hook. If so, ssl_var_lookup would work in any hook 
that is called after post_read_request.

ap_headers_early is run in post_read_request. My intuition is that 
putting your code there is slightly too early. This is because the 
directory-wide configuration of the request is not yet correctly set in 
this phase and URL rewrite rules have not yet been applied, although I 
don't know if this would affect your functionality.

I'd put the code either in header_parser or in check_user_id and I'd try 
to make sure that my check_user_id is run before webgate's check_user_id.

I'd go for header_parser as it is always run for main requests. 
check_user_id is run only when some conditions are satisfied (check the 
ap_process_request_internal in server/request.c).

If you go for check_user_id, make sure that it is run before Oracle's 
check_user_id. In order to do so, you can use APR_HOOK_FIRST 
(ap_hook_check_user_id(&my_check_user_id, NULL, NULL, APR_HOOK_FIRST)), 
or you can use something like

static const char *successor[] = {nameoftheoraclesourcefile, NULL};
ap_hook_check_user_id(&my_check_user_id, NULL, successor, APR_HOOK_MIDDLE);

(See how mod_ssl places its post_read_request _after_ mod_setenvif's in 
modules/ssl/mod_ssl.c)

Also, I would not change mod_headers, I would write my own module in 
which I'd place my header_parser hook.

Sorin

Re: ssl_var_lookup snippet was Re: Confused about modules processing order...

[oh...@cox.net]

---- "William A. Rowe Jr." <wr...@rowe-clan.net> wrote: 
> On 6/26/2012 3:17 PM, ohaya@cox.net wrote:
> > 
> > ---- Sorin Manolache <so...@gmail.com> wrote: 
> >> On 2012-06-26 19:56, ohaya@cox.net wrote:
> >>>>> You cannot wait until mod_ssl runs its fixups, you have to hook one of
> >>>>> the hooks that execute earlier than webgate's check_user_id or
> >>>>> auth_checker. (You have to hook one of the hooks (1)-(4).) There, in
> >>>>> your hook, you have to get yourself the values of the server
> >>>>> certificates, client certificate, etc, everything that mod_ssl would
> >>>>> have given you, but too late.
> >>> "
> >>>
> >>> I guess that what I'm seeing is exactly what you said would happen, i.e., my check_user_id hook function is being called, but none of the SSL vars are populated (since, as you said mod_ssl doesn't populate them until the fixup phase).
> >>>
> >>> What mechanisms/methods could I use to get those SSL vars ("you have to get yourself the values of the server certificates, client certificate, etc, ") at this point?
> >>
> >> I don't know, unfortunately. Have a look at the sources 
> >> (modules/ssl/ssl_engine_kernel.c, ssl_hook_Fixup) to see how mod_ssl 
> >> does it.
> >>
> >> Apparently mod_ssl uses ssl_var_lookup defined in ssl_engine_vars.c. 
> >> Maybe you can use it in check_user_id already.
> >>
> >> Sorin
> > 
> > 
> > Sorin,
> > 
> > THANKS for that pointer to ssl_var_lookup.  
> > 
> > As a very small payback (VERY small) for your help (and others), and for the record, I put the following code (assembled from various places) in the ap_headers_early, and it seems to work "somewhat")
> > 
> > 
> > static apr_status_t ap_headers_early(request_rec *r)
> > {
> > 
> > printf("In ap_headers_early\n");
> > 
> > printf("\n\nIn ap_headers_early: About to call ssl_var_lookup\n");
> > 
> > typedef char* (*ssl_var_lookup_t)(apr_pool_t*, server_rec*, conn_rec*, request_rec*, char*);
> > 
> > ssl_var_lookup_t ssl_var_lookup = 0;
> > 
> > ssl_var_lookup = (ssl_var_lookup_t)apr_dynamic_fn_retrieve("ssl_var_lookup");
> > 
> > const char * foo = ssl_var_lookup(r->pool, r->server, r->connection, r, "SSL_CLIENT_CERT");
> > 
> > printf("In ap_headers_early: SSL_CLIENT_CERT=[%s]\n", foo);
> > .
> > .
> > 
> > and it seems to work perfectly!!
> > 
> > 
> > Do you think that such calls would work in ANY hook?  In other words, would I be at my leisure to use that in ANY of the module hooks?  
> > 
> > If so, now that that's working, where (which hook in mod_headers.c) would you recommend putting my code in, such that I could get my code to run BEFORE the webgate?
> 
> It won't work until the ssl connection has been negotiated, so no, not 'every' hook.
> 
> But you can use ssl_var_lookup as a much more effective method of accessing just a few
> ssl connection strings instead of populating a very long and inefficient list of every
> ssl session string (many of which are formatted and copied costing additional possibly
> unnecessary cycles).
> 
> Unless the external process requires the entire list of ssl connection related text
> strings, you shouldn't require your module's users to enable ssl envvars at all.


Hi,

Thanks for that info.  My module actually only needs the SSL_CLIENT_CERT, so I'll give it a try to see what is the minimal (maybe none :)) SSLOptions I'll need.

Jim

Re: ssl_var_lookup snippet was Re: Confused about modules processing order...

["William A. Rowe Jr." <wr...@rowe-clan.net>]

On 6/26/2012 3:17 PM, ohaya@cox.net wrote:
> 
> ---- Sorin Manolache <so...@gmail.com> wrote: 
>> On 2012-06-26 19:56, ohaya@cox.net wrote:
>>>>> You cannot wait until mod_ssl runs its fixups, you have to hook one of
>>>>> the hooks that execute earlier than webgate's check_user_id or
>>>>> auth_checker. (You have to hook one of the hooks (1)-(4).) There, in
>>>>> your hook, you have to get yourself the values of the server
>>>>> certificates, client certificate, etc, everything that mod_ssl would
>>>>> have given you, but too late.
>>> "
>>>
>>> I guess that what I'm seeing is exactly what you said would happen, i.e., my check_user_id hook function is being called, but none of the SSL vars are populated (since, as you said mod_ssl doesn't populate them until the fixup phase).
>>>
>>> What mechanisms/methods could I use to get those SSL vars ("you have to get yourself the values of the server certificates, client certificate, etc, ") at this point?
>>
>> I don't know, unfortunately. Have a look at the sources 
>> (modules/ssl/ssl_engine_kernel.c, ssl_hook_Fixup) to see how mod_ssl 
>> does it.
>>
>> Apparently mod_ssl uses ssl_var_lookup defined in ssl_engine_vars.c. 
>> Maybe you can use it in check_user_id already.
>>
>> Sorin
> 
> 
> Sorin,
> 
> THANKS for that pointer to ssl_var_lookup.  
> 
> As a very small payback (VERY small) for your help (and others), and for the record, I put the following code (assembled from various places) in the ap_headers_early, and it seems to work "somewhat")
> 
> 
> static apr_status_t ap_headers_early(request_rec *r)
> {
> 
> printf("In ap_headers_early\n");
> 
> printf("\n\nIn ap_headers_early: About to call ssl_var_lookup\n");
> 
> typedef char* (*ssl_var_lookup_t)(apr_pool_t*, server_rec*, conn_rec*, request_rec*, char*);
> 
> ssl_var_lookup_t ssl_var_lookup = 0;
> 
> ssl_var_lookup = (ssl_var_lookup_t)apr_dynamic_fn_retrieve("ssl_var_lookup");
> 
> const char * foo = ssl_var_lookup(r->pool, r->server, r->connection, r, "SSL_CLIENT_CERT");
> 
> printf("In ap_headers_early: SSL_CLIENT_CERT=[%s]\n", foo);
> .
> .
> 
> and it seems to work perfectly!!
> 
> 
> Do you think that such calls would work in ANY hook?  In other words, would I be at my leisure to use that in ANY of the module hooks?  
> 
> If so, now that that's working, where (which hook in mod_headers.c) would you recommend putting my code in, such that I could get my code to run BEFORE the webgate?

It won't work until the ssl connection has been negotiated, so no, not 'every' hook.

But you can use ssl_var_lookup as a much more effective method of accessing just a few
ssl connection strings instead of populating a very long and inefficient list of every
ssl session string (many of which are formatted and copied costing additional possibly
unnecessary cycles).

Unless the external process requires the entire list of ssl connection related text
strings, you shouldn't require your module's users to enable ssl envvars at all.