search

benluteijn / cherokee

Automatically exported from code.google.com/p/cherokee
0 stars 1 forks source link

Create SSL environment variables #259

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 

I need to have some of these variables in my php-fcgi environment.

SSL_PROTOCOL    string  The SSL protocol version (SSLv2, SSLv3, TLSv1)
SSL_SESSION_ID  string  The hex-encoded SSL session id
SSL_CIPHER  string  The cipher specification name
SSL_CIPHER_EXPORT   string  true if cipher is an export cipher
SSL_CIPHER_USEKEYSIZE   number  Number of cipher bits (actually used)
SSL_CIPHER_ALGKEYSIZE   number  Number of cipher bits (possible)
SSL_VERSION_INTERFACE   string  The mod_ssl program version
SSL_VERSION_LIBRARY     string  The OpenSSL program version
SSL_CLIENT_M_VERSION    string  The version of the client certificate
SSL_CLIENT_M_SERIAL     string  The serial of the client certificate
SSL_CLIENT_S_DN     string  Subject DN in client's certificate
SSL_CLIENT_S_DN_x509    string  Component of client's Subject DN
SSL_CLIENT_I_DN     string  Issuer DN of client's certificate
SSL_CLIENT_I_DN_x509    string  Component of client's Issuer DN
SSL_CLIENT_V_START  string  Validity of client's certificate (start time)
SSL_CLIENT_V_END    string  Validity of client's certificate (end time)
SSL_CLIENT_A_SIG    string  Algorithm used for the signature of client's
certificate
SSL_CLIENT_A_KEY    string  Algorithm used for the public key of client's
certificate
SSL_CLIENT_CERT     string  PEM-encoded client certificate
SSL_CLIENT_CERT_CHAINn  string  PEM-encoded certificates in client
certificate chain
SSL_CLIENT_VERIFY   string  NONE, SUCCESS, GENEROUS or FAILED:reason
SSL_SERVER_M_VERSION    string  The version of the server certificate
SSL_SERVER_M_SERIAL     string  The serial of the server certificate
SSL_SERVER_S_DN     string  Subject DN in server's certificate
SSL_SERVER_S_DN_x509    string  Component of server's Subject DN
SSL_SERVER_I_DN     string  Issuer DN of server's certificate
SSL_SERVER_I_DN_x509    string  Component of server's Issuer DN
SSL_SERVER_V_START  string  Validity of server's certificate (start time)
SSL_SERVER_V_END    string  Validity of server's certificate (end time)
SSL_SERVER_A_SIG    string  Algorithm used for the signature of server's
certificate
SSL_SERVER_A_KEY    string  Algorithm used for the public key of server's
certificate
SSL_SERVER_CERT     string  PEM-encoded server certificate

Priority for me:

SSL_CLIENT_VERIFY
SSL_CLIENT_CERT_SERIAL
SSL_CLIENT_CERTIFICATE
SSL_CLIENT_ICN
SSL_CLIENT_CN
SSL_CLIENT_M_SERIAL
SSL_CLIENT_CERT
SSL_CLIENT_I_DN_CN
SSL_CLIENT_S_DN_CN

More info: http://httpd.apache.org/docs/2.0/mod/mod_ssl.html

Original issue reported on code.google.com by skar...@gmail.com on 3 Dec 2008 at 4:43

GoogleCodeExporter commented 9 years ago 
Ummm... It's going to be a hell of a hack.

Original comment by alobbs on 3 Dec 2008 at 4:49

GoogleCodeExporter commented 9 years ago 
I suggest me make something extremely pretty with respect to env variables. 
Because I
presume it must be possible which ones are exported, opposed to do all.

Original comment by ste...@konink.de on 3 Dec 2008 at 4:54

GoogleCodeExporter commented 9 years ago 
Yes... but it is really needed for us... We use FNMT certificates to grant 
access in
our "Virtual Office" and Intranet server. Without it, we can't migrate our 
servers to
Cherokee... :(

Original comment by skar...@gmail.com on 3 Dec 2008 at 4:56

GoogleCodeExporter commented 9 years ago 
As I previously said.. your wish is my command! ;) We'll put it in place.

However, I do understand why Stefan is worried about it. Very few people will 
use the feature, so we should 
definitely make it optional. I completely agree on that.

Original comment by alobbs on 3 Dec 2008 at 5:24

GoogleCodeExporter commented 9 years ago 
Thanks Álvaro! ;)

I agree. SSL information extraction is expensive, so the use of something like
"SSLOptions StdEnvVars" in Apache should be good. As a CGI handler property, 
for example.

Original comment by skar...@gmail.com on 3 Dec 2008 at 6:11

GoogleCodeExporter commented 9 years ago 
Yes; it will be a new property of handler_cgi_base.

Original comment by alobbs on 3 Dec 2008 at 6:20

GoogleCodeExporter commented 9 years ago 
Any progress in this?

Thanks for the great work!

Original comment by joseba...@gmail.com on 11 Dec 2009 at 3:48

GoogleCodeExporter commented 9 years ago 
Alvaro; can we cache the generation of the environment? So we do generate this 
list once when TLS is enabled and an checkbox is found requiring these 
settings? In that way we generate them once, and only if it is being used later 
on.

Original comment by ste...@konink.de on 14 Oct 2011 at 7:49

GoogleCodeExporter commented 9 years ago 
Stefan,

As in the rest of the cases where variables are being added, the idea is to 
keep the list of variable names and values in memory, and whenever necessary 
add them to the session. It's working in the same way in all the *CGI handlers, 
for instance.

Trying to build the whole memory block would just save a handful of tiny 
memcpy()s when a SSL session is created, which is basically nothing in 
comparison to the overall work that it requires. Basically, it would not get 
any perceptible benefit out of it, while the code would not be as clean.

Original comment by alobbs on 14 Oct 2011 at 6:45