You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Daniel Risacher <ma...@alum.mit.edu> on 2005/08/02 18:24:19 UTC

asking mod_ssl for client certificates from another module

I've been trying to figure out if there is a way to ask mod_ssl to
require client certificates from another module before the response
phase.  (I think the answer is 'no'.)

In more detail, I'm prototyping an access handler that would allow
requests from certain client IP addresses, and require client
certificates from all others.  It seems like mod_ssl API does not have
a hook for requesting a renegotiation; and that this can only be done
on a per directory basis at configure time.  

Can someone who understands mod_ssl comment on how to dynamically
force client authentication?  Would it be feasible to make such an
extension to the mod_ssl API?  

Dan

Re: asking mod_ssl for client certificates from another module

Posted by Daniel Risacher <ma...@alum.mit.edu>.

I (Daniel Risacher) wrote:

>I've been trying to figure out if there is a way to ask mod_ssl to
>require client certificates from another module before the response
>phase.  (I think the answer is 'no'.)
>
>In more detail, I'm prototyping an access handler that would allow
>requests from certain client IP addresses, and require client
>certificates from all others.  It seems like mod_ssl API does not
>have
>a hook for requesting a renegotiation; and that this can only be done
>on a per directory basis at configure time.
>
>Can someone who understands mod_ssl comment on how to dynamically
>force client authentication?  Would it be feasible to make such an
>extension to the mod_ssl API?
>
>Dan

Just to close the loop, I think I did figure out how to do this.

Here's the mod_perl2 code I used (during the access phase handler).
>From looking at the mod_ssl source, I think it's important that this
happen *before* the mod_ssl access phase handler.  Since I'm not sure
how to ensure that a mod_perl access handler is called before the
mod_ssl handler, this should probably be done as a HeaderParserHandler
instead. 

sub access_handler {
    my ($r) = @_;
    ...
    if (&hostname_ok($r)) {
	$r->add_config(['SSLVerifyClient require',
			'SSLVerifyDepth 3',
			]);
    ...
    }
}

Re: asking mod_ssl for client certificates from another module

Posted by Joost de Heer <jo...@sanguis.xs4all.nl>.

Daniel Risacher wrote:

>I've been trying to figure out if there is a way to ask mod_ssl to
>require client certificates from another module before the response
>phase.  (I think the answer is 'no'.)
>
>In more detail, I'm prototyping an access handler that would allow
>requests from certain client IP addresses, and require client
>certificates from all others.  It seems like mod_ssl API does not have
>a hook for requesting a renegotiation; and that this can only be done
>on a per directory basis at configure time.  
>
>Can someone who understands mod_ssl comment on how to dynamically
>force client authentication?  Would it be feasible to make such an
>extension to the mod_ssl API?  
>
>Dan
>  
>
Untested:

SSLVerifyClient optional
SSLRequire REMOTE_ADDR =~ pattern or %{SSL_CLIENT_S_DN_O} eq "Your 
Organisation"

Joost