httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Risacher <mag...@alum.mit.edu>
Subject Re: asking mod_ssl for client certificates from another module
Date Fri, 05 Aug 2005 14:49:56 GMT

I (Daniel Risacher) wrote:

>I've been trying to figure out if there is a way to ask mod_ssl to
>require client certificates from another module before the response
>phase.  (I think the answer is 'no'.)
>
>In more detail, I'm prototyping an access handler that would allow
>requests from certain client IP addresses, and require client
>certificates from all others.  It seems like mod_ssl API does not
>have
>a hook for requesting a renegotiation; and that this can only be done
>on a per directory basis at configure time.
>
>Can someone who understands mod_ssl comment on how to dynamically
>force client authentication?  Would it be feasible to make such an
>extension to the mod_ssl API?
>
>Dan

Just to close the loop, I think I did figure out how to do this.

Here's the mod_perl2 code I used (during the access phase handler).
>From looking at the mod_ssl source, I think it's important that this
happen *before* the mod_ssl access phase handler.  Since I'm not sure
how to ensure that a mod_perl access handler is called before the
mod_ssl handler, this should probably be done as a HeaderParserHandler
instead. 

sub access_handler {
    my ($r) = @_;
    ...
    if (&hostname_ok($r)) {
	$r->add_config(['SSLVerifyClient require',
			'SSLVerifyDepth 3',
			]);
    ...
    }
}			

Mime
View raw message