Daniel Risacher wrote:
I've been trying to figure out if there is a way to ask mod_ssl to
require client certificates from another module before the response
phase. (I think the answer is 'no'.)
In more detail, I'm prototyping an access handler that would allow
requests from certain client IP addresses, and require client
certificates from all others. It seems like mod_ssl API does not have
a hook for requesting a renegotiation; and that this can only be done
on a per directory basis at configure time.
Can someone who understands mod_ssl comment on how to dynamically
force client authentication? Would it be feasible to make such an
extension to the mod_ssl API?
Dan
Untested:
SSLVerifyClient optional
SSLRequire REMOTE_ADDR =~ pattern or %{SSL_CLIENT_S_DN_O} eq "Your
Organisation"
Joost
