SSL and client authentication

Paul Guyot <>
Sun Nov 14 17:27:58 CET 2010


> I'm using the SSL verify_peer option in a Web server with
> fail_if_no_peer_cert set to true; I was wondering if there is a way to force
> a client to send a valid certificate for some Web server paths and ignore it
> for others: for example, if a client tries to make a request to, say,
> https://host/url1, then I want it to send also a valid certificate, but if
> it makes a request to https://host/url2, then it may not send any
> certificate and the request will be accepted anyway. Basically I want mutual
> auth only for a couple of URLs...

SSL handshake happens before any HTTP data is exchanged. Therefore, the server cannot know in advance, when the handshake occurs, if the client wants to access url1 or url2.

For such a situation, you can have two hostnames, e.g. https://verified.host.com/ and https://regular.host.com/

Paul
-- 
Semiocast                    http://semiocast.com/
+33.175000290 - 62 bis rue Gay-Lussac, 75005 Paris



More information about the erlang-questions mailing list