[mod_python] mod_ssl variables are not passed to mod_python auth handler

Tomasz Wlodek tomw at bnl.gov
Fri Feb 3 17:18:18 EST 2006

Hello mod_python experts,

I would like to use mod_python to force Apache to authenticate users based
on their user certificate. I have encountered a problem: SSL environment
variables are not passed by Apache to mod_python authentication handler.

Here is how the whole thing should work.

In Apache conf files I tell it to load mod_ssl module

LoadModule ssl_module           /usr/lib/httpd/modules/mod_ssl.so

then I turn the user verification option in SSL:

SSLEngine               on
SSLCertificateFile      /etc/...
SSLCertificateKeyFile   /etc/...
SSLCACertificatePath    /etc/....
SSLVerifyClient         optional
SSLVerifyDepth          10
SSLOptions              +ExportCertData +StdEnvVars

I restart Apache and I load a cgi script which dumps the available
environment variables. I can see that variables SSL_CLIENT_S_DN and
SSL_CLIENT_VERIFY variables are set or not set depending on whether I have
valid certificate in my browser or not. Halleluiah! The certificate based
authentication works in cgi scripts.

Now I would like to pass the work of deciding whether user was
authenticated or not from cgi script to mod_python authentication handler.
The idea is: mod_python authentication handler will check if the
SSL_CLIENT_S_DN variable was defined by SSL. If yes - return apache.OK. If
not return apache.HTTP_FORBIDDEN.

Sounds simple. So I set to work. I define mod-python authentication

<Directory /var/www/gridsite/cgi>
    AddHandler mod_python .py
    PythonHandler myhandler
    PythonAuthenHandler myhandler
    PythonDebug on
    PythonPath "sys.path + ['/root/mod_python_handlers']"
    AuthType Basic
    AuthName "Restricted Area"
    require valid-user

then I create the actual python handler in file

from mod_python import apache

def authenhandler(req):
    # let us make sure that environment variables are loaded
    # we can dump the list of known environment variables, for debugging
    #for line in req.subprocess_env.keys():
    #    req.write(line+"<br>\n")

    # now comes the real work: if SSL verified the certificate, then
    # SSL_CLIENT_S_DN variable should be set and the user can be approved
    if req.subprocess_env.has_key('SSL_CLIENT_S_DN'):
        return apache.OK
        return apache.HTTP_FORBIDDEN

That is all. Now I run the thing. It turns out that the SSL environment
variables are not visible from /root/mod_python_handlers/myhandler.py  and
the handler always returns apache.HTTP_FORBIDDEN !

I can see those variables in the cgi scripts, but not in python
authentication handler.

Does anyone has an idea why? Do I need to call some function to load them?

If I modify the handler to be:

def authenhandler(req):
	return apache.OK

so that everyone gets approved, and then display the content of
SSL_CLIENT_S_DN from cgi scripts then the variable is clearly there!

Tomasz Wlodek

More information about the Mod_python mailing list