[mod_python] mod_ssl variables are not passed to mod_python auth handler

Graham Dumpleton grahamd at dscpl.com.au
Fri Feb 3 18:06:33 EST 2006 

SSL environment variables are not populated into req.subprocess_env
until the last stage of execution of the fixuphandler phase. This is a
pain as you have found because they aren't available during
authenhandler, only in any actual content handler.

This issue has been noted and the intention is to add support in
mod_python version 3.3 to support for req.ssl_var_lookup(). Someone has
already submitted some initial patches that might be used to do this. If
you want to experiment with the feature, you could try patching your
mod_python source code to add the feature.

See:

   http://issues.apache.org/jira/browse/MODPYTHON-94

for details on this issue.

If you don't want to patch your mod_python source code, I also supplied
code for an alternate way of doing it a long time ago. This is mentioned
in:

   http://www.modpython.org/pipermail/mod_python/2005-May/018164.html

Unfortunately the mailing list archive has stuffed the attachment links
in the post. The actual links are:

   # save as _mp_mod_ssl.c
    
http://www.modpython.org/pipermail/mod_python/attachments/20050523/ 
9fa0275b/_mp_mod_ssl.obj

   # save as setup.py
    
http://www.modpython.org/pipermail/mod_python/attachments/20050523/ 
9fa0275b/setup.obj

Fix the path for location of Apache stuff in setup.py and then build  
like
a normal Python module.

Graham

On 04/02/2006, at 9:18 AM, Tomasz Wlodek wrote:

> Hello mod_python experts,
>
>
> I would like to use mod_python to force Apache to authenticate users  
> based
> on their user certificate. I have encountered a problem: SSL  
> environment
> variables are not passed by Apache to mod_python authentication  
> handler.
>
> Here is how the whole thing should work.
>
> In Apache conf files I tell it to load mod_ssl module
>
> LoadModule ssl_module           /usr/lib/httpd/modules/mod_ssl.so
>
> then I turn the user verification option in SSL:
>
> SSLEngine               on
> SSLCertificateFile      /etc/...
> SSLCertificateKeyFile   /etc/...
> SSLCACertificatePath    /etc/....
> SSLVerifyClient         optional
> SSLVerifyDepth          10
> SSLOptions              +ExportCertData +StdEnvVars
>
> I restart Apache and I load a cgi script which dumps the available
> environment variables. I can see that variables SSL_CLIENT_S_DN and
> SSL_CLIENT_VERIFY variables are set or not set depending on whether I  
> have
> valid certificate in my browser or not. Halleluiah! The certificate  
> based
> authentication works in cgi scripts.
>
> Now I would like to pass the work of deciding whether user was
> authenticated or not from cgi script to mod_python authentication  
> handler.
> The idea is: mod_python authentication handler will check if the
> SSL_CLIENT_S_DN variable was defined by SSL. If yes - return  
> apache.OK. If
> not return apache.HTTP_FORBIDDEN.
>
> Sounds simple. So I set to work. I define mod-python authentication
> handler:
>
> <Directory /var/www/gridsite/cgi>
>     AddHandler mod_python .py
>     PythonHandler myhandler
>     PythonAuthenHandler myhandler
>     PythonDebug on
>     PythonPath "sys.path + ['/root/mod_python_handlers']"
>     AuthType Basic
>     AuthName "Restricted Area"
>     require valid-user
> </Directory>
>
> then I create the actual python handler in file
> /root/mod_python_handlers/myhandler.py
>
> from mod_python import apache
>
> def authenhandler(req):
>     # let us make sure that environment variables are loaded
>     req.add_common_vars()
>     # we can dump the list of known environment variables, for  
> debugging
>     #for line in req.subprocess_env.keys():
>     #    req.write(line+"<br>\n")
>
>     # now comes the real work: if SSL verified the certificate, then
>     # SSL_CLIENT_S_DN variable should be set and the user can be  
> approved
>     if req.subprocess_env.has_key('SSL_CLIENT_S_DN'):
>         return apache.OK
>     else:
>         return apache.HTTP_FORBIDDEN
>
> That is all. Now I run the thing. It turns out that the SSL environment
> variables are not visible from /root/mod_python_handlers/myhandler.py   
> and
> the handler always returns apache.HTTP_FORBIDDEN !
>
> I can see those variables in the cgi scripts, but not in python
> authentication handler.
>
> Does anyone has an idea why? Do I need to call some function to load  
> them?
>
> If I modify the handler to be:
>
> def authenhandler(req):
> 	return apache.OK
>
> so that everyone gets approved, and then display the content of
> SSL_CLIENT_S_DN from cgi scripts then the variable is clearly there!
>
> Tomasz Wlodek
> _______________________________________________
> Mod_python mailing list
> Mod_python at modpython.org
> http://mailman.modpython.org/mailman/listinfo/mod_python

More information about the Mod_python mailing list