a.c.junker at gmail
Nov 18, 2009, 6:32 PM
Post #1 of 1
(208 views)
Permalink
|
|
Feature request: per-rule client certs setting
|
|
Hi all,
I recently came across a feature that apache has and cherokee
doesn't, and as far as I can tell it prevents me from using cherokee
to set up my site with the security features I want.
What I'd like to have is two security domains within the same website
- one of which is open to all, and the other of which requires trusted
client certificates to access. So you can browse / and /public with no
(or regular) authentication, but to get to /private you need a valid
client cert signed by my own CA.
I've seen this on a number of corporate intranet websites, where they
have a wiki or similar that anyone can view but only authenticated
users can edit.
To do this in apache, you would add a "SSLVerifyClient require" clause
within a <directory> block or a .htaccess file. If this causes apache
to perform an SSL renegotiation, that happens in the background and is
more-or-less transparent to the user.
In cherokee, the only place you can specify SSL client certs behavior
is in the "Virtual Server: <server>/Security" tab, so you can only
have one setting per virtual server. You can't go into one of the
rules listed in "Virtual Server: <server>/Behavior" and specify a
per-rule override in the "Security" tab there.
In addition, while you can serve multiple hostnames with a single
virtual server, a given hostname can only be served by one virtual
server.
Would it be too much trouble to add a per-rule override to the SSL client certs?
Thanks!
PS: When dealing with client certs, it is important to check that the
cert isn't on the CA's certificate revocation list. I scanned the
source code, and aside from recognizing the MIME type cherokee doesn't
seem to be aware of CRLs.
_______________________________________________
Cherokee mailing list
Cherokee [at] lists
http://lists.octality.com/listinfo/cherokee
|
