I (Daniel Risacher) wrote: >I've been trying to figure out if there is a way to ask mod_ssl to >require client certificates from another module before the response >phase. (I think the answer is 'no'.) > >In more detail, I'm prototyping an access handler that would allow >requests from certain client IP addresses, and require client >certificates from all others. It seems like mod_ssl API does not >have >a hook for requesting a renegotiation; and that this can only be done >on a per directory basis at configure time. > >Can someone who understands mod_ssl comment on how to dynamically >force client authentication? Would it be feasible to make such an >extension to the mod_ssl API? > >Dan
Just to close the loop, I think I did figure out how to do this. Here's the mod_perl2 code I used (during the access phase handler). >From looking at the mod_ssl source, I think it's important that this happen *before* the mod_ssl access phase handler. Since I'm not sure how to ensure that a mod_perl access handler is called before the mod_ssl handler, this should probably be done as a HeaderParserHandler instead. sub access_handler { my ($r) = @_; ... if (&hostname_ok($r)) { $r->add_config(['SSLVerifyClient require', 'SSLVerifyDepth 3', ]); ... } }