httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Risacher <>
Subject Re: asking mod_ssl for client certificates from another module
Date Fri, 05 Aug 2005 14:49:56 GMT

I (Daniel Risacher) wrote:

>I've been trying to figure out if there is a way to ask mod_ssl to
>require client certificates from another module before the response
>phase.  (I think the answer is 'no'.)
>In more detail, I'm prototyping an access handler that would allow
>requests from certain client IP addresses, and require client
>certificates from all others.  It seems like mod_ssl API does not
>a hook for requesting a renegotiation; and that this can only be done
>on a per directory basis at configure time.
>Can someone who understands mod_ssl comment on how to dynamically
>force client authentication?  Would it be feasible to make such an
>extension to the mod_ssl API?

Just to close the loop, I think I did figure out how to do this.

Here's the mod_perl2 code I used (during the access phase handler).
>From looking at the mod_ssl source, I think it's important that this
happen *before* the mod_ssl access phase handler.  Since I'm not sure
how to ensure that a mod_perl access handler is called before the
mod_ssl handler, this should probably be done as a HeaderParserHandler

sub access_handler {
    my ($r) = @_;
    if (&hostname_ok($r)) {
	$r->add_config(['SSLVerifyClient require',
			'SSLVerifyDepth 3',

View raw message