Hi, 1. Environment: OS: Linux Apache: 2.0.50 2. Problem: As I upgraded some Apache 1.3.x systems to Apache 2.0.50 I noticed that the SSL_ variables defined by mod_ssl are no longer available for checks with RewriteCond. In Apache 1.3.x RewriteConds like the following delivered reasonable results: RewriteCond %{SSL_CIPHER_USEKEYSIZE} !^[0-9][0-9][0-9] On Apache 2.0.50 the input stays empty as the following excerpt from the RewriteLog (Level 9) shows: 92.168.2.4 - - [04/Aug/2004:11:57:06 +0200] [www.something.de/sid#8122700][rid# 818a1b0/initial] (4) RewriteCond: input='' pattern='!^[0-9][0-9][0-9]' => matche d Even after adding SSLOptions +StdEnvVars and modifying the RewriteCond to RewriteCond %{ENV:SSL_CIPHER_USEKEYSIZE} !^[0-9][0-9][0-9] nothing changed. The input remains empty. 3. Analysis The root cause for this problem is that mod_ssl writes its SSL_ variables to r->subprocess_env in its fixup handler (provided SSLOptions contains StdEnvVars), but all fixup handlers are executed after the translate_name handlers. On the other hand the evaluation of the rewrite rules happens in mod_rewrites translate_name handler, so the variables are not available at this point of time. 4. Solution proposal I noticed that the documentation for mod_rewrite of Apache 2.1 points out a special prefix for the SSL_ variables named SSL: (like ENV: for environment variables). So the solution approach is to add a piece of code to lookup_variable in mod_rewrite.c that checks for variablenames that start with SSL: after the check for the variables which names start with ENV:. The mod_ssl function ssl_var_lookup can be used to get the values for the specific variables as it has been registered by mod_ssl with APR_REGISTER_OPTIONAL_FN in ssl_engine_vars.c. After that it would be possible to check the SSL_ variables in RewriteCond's via prefixing the variable name with SSL:. For example the following RewriteCond RewriteCond %{SSL:SSL_CIPHER_USEKEYSIZE} !^[0-9][0-9][0-9] would be a replacement for my old (Apache 1.3.x) RewriteCond RewriteCond %{SSL_CIPHER_USEKEYSIZE} !^[0-9][0-9][0-9] I wrote an appropriate patch for mod_rewrite which I tested on my environment. It worked as designed. I attach the patch. Regards Rüdiger Plüm
Created attachment 12327 [details] Solution proposal patch
Currently my patch is missing the according patch of the mod_rewrite documentation. As my patch is a backport (even from the coding point of view as I compared my patch and an actual CVS snapshot of Apache 2.1) of the same functionality offered by Apache 2.1 I simply backported the according paragraph for the Apache 2.1 documentation of mod_rewrite.xml. So the contents of the documentation patch I will attach has been written by one of the Apache 2.1 mod_rewrite contributors / authors.
Created attachment 12515 [details] Documentation patch
Thanks for the patch. This has been proposed for backport to 2.0. It can't be done by including mod_ssl.h, since that fails if mod_ssl is not enabled in 2.0, so the optional function declarations have to be duplicated.
For references, the proposed patches are: http://www.apache.org/~jorton/mod_rewrite-2.0-sslvar.diff http://www.apache.org/~jorton/mod_ssl-2.0-ishttps.diff
Thanks for the feedback and the references. You are right it is not possible to include mod_ssl.h in Apache 2.0 without enabling it via configure. I did not notice that as I compile my Apache always with mod_ssl. So I included mod_ssl.h to avoid the duplication of the optional function declarations. It is nice to hear that this feature should be backported to Apache 2.0. Do you already know a release of Apache 2.0 in which this will be included?
The backport requires votes from two additional developers, so it depends when people have time to review the changes.
Now committed for 2.0.51.
Thats very good news. Thanks.