On Wed, May 31, 2000 at 09:15:31AM -0600, Joel Smith wrote:
>
> I need the local users to use HTTPS also, since they will be authenticating with
> username/password. I don't like stuff flying around in the clear. That's why it's
>trickier.
> Is their a directive that says "Require cert unless originating from IP address
> xxx.xxx.xxx.xxx"? Your idea is similar to the different virtual host solution I
>proposed. i.e.
> give one url to internal people, another to external, and the internal vhost will
>only talk to
> LAN users, the external will require a cert, but since our whole company is passing
>around
> intranet URLs all the time, it's not practical to train users to send both urls, or
>for people
> to figure out why a given URL isn't working for them. I wan one host, https, that
>can decide if
> a cert is needed to authenticate based on originating IP address.
Ah, I missed the part about using https locally - that changes my suggestion a bit.
You could make it real simple by giving your machine two ip adresses amd making two
https virtual hosts - one accepting local connections without certs and the other
requiring certs. Alternatively you could set up something based on
SSLVerifyClient optional (http://www.modssl.org/docs/2.6/ssl_reference.html#ToC17)
which will give the clients an option of presenting a cert and then with SSLRequire
handle the different cases about ip address and wether to require a client cert.
vh
Mads Toftum
--
`Darn it, who spiked my coffee with water?!' - lwall
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
