[mod_python] Client certificate?

Rich Salz rsalz at zolera.com
Tue Feb 26 18:38:39 EST 2002

Okay, let me try to be more explicit.

We use SWIG (www.swig.org).  SWIG can parse header files and generate
modules for various scripting languages, including Python.  So, for
example, a SWIG interface file might say
	int UsingSSL(request_rec* r);
	char* GetClientDN(request_rec* r);
and so on.  The actual implementation of those functions tend to be
fairly short Apache ap_xxx calls, such as

UsingSSL(request_rec* r)
    return ap_ctx_get(r->connection->client->ctx, "ssl") != NULL;

We can create an Apache module that has our "swigged" extensions, and
build that into Apache.  (Or make it a shared library, DSO, whatever.)

The only "trick" is how to get that request_rec pointer.  It turns out
to be not that hard, because SWIG actually uses strings to represent

So, we patched mod_python to add a new method to the mod_python request
object; this new method returns a swig-compatible pointer(string) up to
Python.  From python code, then, we can call the SWIG functions we wrote
as described above.

So, in our case,
	from zolera import pyssl
	h = req.get_swig_handle()
	if h.UsingSSL():
		dn = h.GetClientDN()
		return Apache.Unauthorized

We have found it easier (again, since we were already using SWIG), to
just add the one function to mod_python, and then to use SWIG for
everything else.

Hope this helps.
Zolera Systems, Securing web services (XML, SOAP, Signatures,

More information about the Mod_python mailing list