I (Daniel Risacher) wrote:
>I've been trying to figure out if there is a way to ask mod_ssl to
>require client certificates from another module before the response
>phase. (I think the answer is 'no'.)
>
>In more detail, I'm prototyping an access handler that would allow
>requests from certain client IP addresses, and require client
>certificates from all others. It seems like mod_ssl API does not
>have
>a hook for requesting a renegotiation; and that this can only be done
>on a per directory basis at configure time.
>
>Can someone who understands mod_ssl comment on how to dynamically
>force client authentication? Would it be feasible to make such an
>extension to the mod_ssl API?
>
>Dan
Just to close the loop, I think I did figure out how to do this.
Here's the mod_perl2 code I used (during the access phase handler).
>From looking at the mod_ssl source, I think it's important that this
happen *before* the mod_ssl access phase handler. Since I'm not sure
how to ensure that a mod_perl access handler is called before the
mod_ssl handler, this should probably be done as a HeaderParserHandler
instead.
sub access_handler {
my ($r) = @_;
...
if (&hostname_ok($r)) {
$r->add_config(['SSLVerifyClient require',
'SSLVerifyDepth 3',
]);
...
}
}