Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
Received-SPF: softfail (asf.osuosl.org: transitioning domain of
 magnus@alum.mit.edu does not designate 69.17.117.28 as permitted sender)
To: dev@httpd.apache.org
Subject: Re: asking mod_ssl for client certificates from another module
References: <E1DzzYx-0001vn-8M@m5.risacher.org>
In-Reply-To: <42F3104C.9010209@sanguis.xs4all.nl>
Reply-to: magnus@alum.mit.edu
Message-Id: <E1E13WG-0002TG-Iz@m5.risacher.org>
From: Daniel Risacher <magnus@alum.mit.edu>
Date: Fri, 05 Aug 2005 10:49:56 -0400


I (Daniel Risacher) wrote:

>I've been trying to figure out if there is a way to ask mod_ssl to
>require client certificates from another module before the response
>phase.  (I think the answer is 'no'.)
>
>In more detail, I'm prototyping an access handler that would allow
>requests from certain client IP addresses, and require client
>certificates from all others.  It seems like mod_ssl API does not
>have
>a hook for requesting a renegotiation; and that this can only be done
>on a per directory basis at configure time.
>
>Can someone who understands mod_ssl comment on how to dynamically
>force client authentication?  Would it be feasible to make such an
>extension to the mod_ssl API?
>
>Dan

Just to close the loop, I think I did figure out how to do this.

Here's the mod_perl2 code I used (during the access phase handler).
>From looking at the mod_ssl source, I think it's important that this
happen *before* the mod_ssl access phase handler.  Since I'm not sure
how to ensure that a mod_perl access handler is called before the
mod_ssl handler, this should probably be done as a HeaderParserHandler
instead. 

sub access_handler {
    my ($r) = @_;
    ...
    if (&hostname_ok($r)) {
	$r->add_config(['SSLVerifyClient require',
			'SSLVerifyDepth 3',
			]);
    ...
    }
}