Hi all, I recently came across a feature that apache has and cherokee doesn't, and as far as I can tell it prevents me from using cherokee to set up my site with the security features I want.
What I'd like to have is two security domains within the same website - one of which is open to all, and the other of which requires trusted client certificates to access. So you can browse / and /public with no (or regular) authentication, but to get to /private you need a valid client cert signed by my own CA. I've seen this on a number of corporate intranet websites, where they have a wiki or similar that anyone can view but only authenticated users can edit. To do this in apache, you would add a "SSLVerifyClient require" clause within a <directory> block or a .htaccess file. If this causes apache to perform an SSL renegotiation, that happens in the background and is more-or-less transparent to the user. In cherokee, the only place you can specify SSL client certs behavior is in the "Virtual Server: <server>/Security" tab, so you can only have one setting per virtual server. You can't go into one of the rules listed in "Virtual Server: <server>/Behavior" and specify a per-rule override in the "Security" tab there. In addition, while you can serve multiple hostnames with a single virtual server, a given hostname can only be served by one virtual server. Would it be too much trouble to add a per-rule override to the SSL client certs? Thanks! PS: When dealing with client certs, it is important to check that the cert isn't on the CA's certificate revocation list. I scanned the source code, and aside from recognizing the MIME type cherokee doesn't seem to be aware of CRLs. _______________________________________________ Cherokee mailing list [email protected] http://lists.octality.com/listinfo/cherokee
