Bug 30464 - SSL_ variables from mod_ssl not available for RewriteCond tests in mod_rewrite
Summary: SSL_ variables from mod_ssl not available for RewriteCond tests in mod_rewrite
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_rewrite (show other bugs)
Version: 2.0.50
Hardware: All All
: P3 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Keywords: PatchAvailable
Depends on:
Reported: 2004-08-04 13:08 UTC by Rüdiger Plüm
Modified: 2004-11-16 19:05 UTC (History)
0 users

Solution proposal patch (906 bytes, patch)
2004-08-04 13:09 UTC, Rüdiger Plüm
Details | Diff
Documentation patch (967 bytes, patch)
2004-08-24 08:28 UTC, Rüdiger Plüm
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Rüdiger Plüm 2004-08-04 13:08:13 UTC

1. Environment:

OS: Linux
Apache: 2.0.50

2. Problem:

As I upgraded some Apache 1.3.x systems to Apache 2.0.50 I noticed that the
SSL_ variables defined by mod_ssl are no longer available for checks
with RewriteCond.

In Apache 1.3.x RewriteConds like the following delivered reasonable results:

RewriteCond %{SSL_CIPHER_USEKEYSIZE} !^[0-9][0-9][0-9]

On Apache 2.0.50 the input stays empty as the following excerpt from
the RewriteLog (Level 9) shows: - - [04/Aug/2004:11:57:06 +0200] [www.something.de/sid#8122700][rid#
818a1b0/initial] (4) RewriteCond: input='' pattern='!^[0-9][0-9][0-9]' => matche

Even after adding SSLOptions +StdEnvVars and modifying the RewriteCond to

RewriteCond %{ENV:SSL_CIPHER_USEKEYSIZE} !^[0-9][0-9][0-9]

nothing changed. The input remains empty.

3. Analysis

The root cause for this problem is that mod_ssl writes its SSL_ variables
to r->subprocess_env in its fixup handler (provided SSLOptions contains
StdEnvVars), but all fixup handlers are executed after the translate_name
handlers. On the other hand the evaluation of the rewrite rules happens
in mod_rewrites translate_name handler, so the variables are not available
at this point of time.

4. Solution proposal

I noticed that the documentation for mod_rewrite of Apache 2.1 points out
a special prefix for the SSL_ variables named SSL: (like ENV: for environment
variables). So the solution approach is to add a piece of code to
lookup_variable in mod_rewrite.c that checks for variablenames that start with
SSL: after the check for the variables which names start with ENV:.
The mod_ssl function ssl_var_lookup can be used to get the values for the
specific variables as it has been registered by mod_ssl with
APR_REGISTER_OPTIONAL_FN in ssl_engine_vars.c. After that it would be
possible to check the SSL_ variables in RewriteCond's via prefixing the
variable name with SSL:. For example the following RewriteCond 

RewriteCond %{SSL:SSL_CIPHER_USEKEYSIZE} !^[0-9][0-9][0-9]

would be a replacement for my old (Apache 1.3.x) RewriteCond

RewriteCond %{SSL_CIPHER_USEKEYSIZE} !^[0-9][0-9][0-9]

I wrote an appropriate patch for mod_rewrite which I tested on my environment.
It worked as designed. I attach the patch.


Rüdiger Plüm
Comment 1 Rüdiger Plüm 2004-08-04 13:09:03 UTC
Created attachment 12327 [details]
Solution proposal patch
Comment 2 Rüdiger Plüm 2004-08-24 08:27:57 UTC
Currently my patch is missing the according patch of the mod_rewrite
documentation. As my patch is a backport (even from the coding point of view as
I compared my patch and an actual CVS snapshot of Apache 2.1) of the same
functionality offered by Apache 2.1 I simply backported the according paragraph
for the Apache 2.1 documentation of mod_rewrite.xml. So the contents of the
documentation patch I will attach has been written by one of the Apache 2.1
mod_rewrite contributors / authors.
Comment 3 Rüdiger Plüm 2004-08-24 08:28:32 UTC
Created attachment 12515 [details]
Documentation patch
Comment 4 Joe Orton 2004-08-24 09:40:02 UTC
Thanks for the patch.

This has been proposed for backport to 2.0.  It can't be done by including
mod_ssl.h, since that fails if mod_ssl is not enabled in 2.0, so the optional
function declarations have to be duplicated.
Comment 5 Joe Orton 2004-08-24 09:42:58 UTC
For references, the proposed patches are:

Comment 6 Rüdiger Plüm 2004-08-24 10:32:43 UTC
Thanks for the feedback and the references. You are right it is not possible to
include mod_ssl.h in Apache 2.0 without enabling it via configure. I did not
notice that as I compile my Apache always with mod_ssl. So I included mod_ssl.h
to avoid the duplication of the optional function declarations.
It is nice to hear that this feature should be backported to Apache 2.0. Do you
already know a release of Apache 2.0 in which this will be included?
Comment 7 Joe Orton 2004-08-24 11:22:19 UTC
The backport requires votes from two additional developers, so it depends when
people have time to review the changes.
Comment 8 Joe Orton 2004-08-27 14:10:30 UTC
Now committed for 2.0.51.
Comment 9 Rüdiger Plüm 2004-08-27 14:16:34 UTC
Thats very good news. Thanks.