SSL and client authentication

mpalmer <>
Mon Nov 15 06:47:23 CET 2010


>> I'm using the SSL verify_peer option in a Web server with
>> fail_if_no_peer_cert set to true; I was wondering if there is a way to
>> force
>> a client to send a valid certificate for some Web server paths and
>> ignore it
>> for others: for example, if a client tries to make a request to, say,
>> https://host/url1, then I want it to send also a valid certificate, but
>> if
>> it makes a request to https://host/url2, then it may not send any
>> certificate and the request will be accepted anyway. Basically I want
>> mutual
>> auth only for a couple of URLs...
>
> SSL handshake happens before any HTTP data is exchanged. Therefore, the
> server cannot know in advance, when the handshake occurs, if the client
> wants to access url1 or url2.

However, the SSL handshake *has* occured by the time the response is sent
back, so it shouldn't be impossible for the server to check the URL and
(whether a/which) client certificate was presented, and serve or deny the
request as appropriate.

Since the OP has decided to use nginx, there's not much point in going
into the mechanics of how to do that in Erlang.

- Matt




More information about the erlang-questions mailing list