url based ssl configuration

[C.Jantzen]

Hi

I wanted to see if it is possible to do some url based ssl
configuration.

Like
/user1/some/stuff is mapped to a certificate with common name user1
/user2/some/stuff is mapped to a certificate with common name user2
/user3/some/stuff is mapped to a certificate with common name user3

["Álvaro G. Vicario"]

C.Jantzen escribi�:

I'm not sure I understand you but certificates must be attached to an IP
and port combination. Anything else (including host name) is ignored.

--
-- http://alvaro.es - �lvaro G. Vicario - Burgos, Spain
-- Mi sitio sobre programaci�n web: http://borrame.com
-- Mi web de humor satinado: http://www.demogracia.com
--

[Burkhard Ott]

On Wed, 18 Nov 2009 16:07:24 +0100, Álvaro G. Vicario wrote:

> C.Jantzen escribió:

>> I wanted to see if it is possible to do some url based ssl
>> configuration.
>>
>> Like
>> /user1/some/stuff is mapped to a certificate with common name user1
>> /user2/some/stuff is mapped to a certificate with common name user2
>> /user3/some/stuff is mapped to a certificate with common name user3
>
> I'm not sure I understand you but certificates must be attached to an IP
> and port combination. Anything else (including host name) is ignored.
>

Yes, before you send the host part in http you have already a SSL socket
open and the cert is checked.
You can only server 1 certificate on 1 IP address, so if you connect
you'll have everytime the same CN even if you configure various virt
hosts.

cheers

[C.Jantzen]

Its because we are using ssl with client validation and therefor I get
the certificate information from the connecting part.

[C.Jantzen]

I have thought of 2 different setups.

1. each part has its own port og I can bind that configuration to a
specific certificate information.
2. Each part has its own hostname and I sort on host name and
configure that to a specific certficate information.
3. same virtual host but a part in each url is configured to a
specific certificate information

[Burkhard Ott]

On Wed, 18 Nov 2009 14:43:44 -0800, C.Jantzen wrote:

>> Its because we are using ssl with client validation and therefor I get
>> the certificate information from the connecting part.

Why aren't you using a wildcard CN?

> 1. each part has its own port og I can bind that configuration to a
> specific certificate information.

Who/What is 'each part'?
What you're gonna do if you need to server 2000 User, using 200 ports for
apache?

> 2. Each part has its own hostname and I sort on host name and configure
> that to a specific certficate information.

Why not using Basic auth or similar, after the authentication you know
the user and can redirect him/her to the correct directory.

> 3. same virtual host but a
> part in each url is configured to a specific certificate information

After I know what 'part' is I probably understand this question.

cheers

[C.Jantzen]

On 19 Nov., 00:21, Burkhard Ott <news2...@derith.de> wrote:
> On Wed, 18 Nov 2009 14:43:44 -0800, C.Jantzen wrote:
> >> Its because we are using ssl with client validation and therefor I get
> >> the certificate information from the connecting part.
>
> Why aren't you using a wildcard CN?
>
> > 1. each part has its own port og I can bind that configuration to a
> > specific certificate information.
>
> Who/What is 'each part'?
> What you're gonna do if you need to server 2000 User, using 200 ports for
> apache?

A part is a partner that my company talks with. We provide some
services that they (the part) use.

> > 2. Each part has its own hostname and I sort on host name and configure
> > that to a specific certficate information

> Why not using Basic auth or similar, after the authentication you know
> the user and can redirect him/her to the correct directory.

There is not going to be many partners using this service, less than
5.
Because we would like to use certificate information instead, as it is
our policy.