Client Certificates in Mongrel

I think the cert is just used by Apache for the SSL handshake... it's not passed along as a header or anything (that would be a big header).

What I've done is to have Apache (in the SSL conf) add certain headers to the request if the cert is verified:

     RequestHeader set X_FORWARDED_PROTO "https"
     RequestHeader set X_SSL_VERIFIED "true"

and then check for these headers in the rails code.

HTH.

b

Fred Kaufman wrote:

Well, you're pushing the boundaries of my knowledge here.... maybe try dumping various ssl env vars[1] into the logs and see what you come up with?

That or maybe there's an SSL wizard lurking out there?

b

[1] http://httpd.apache.org/docs/2.2/mod/mod_ssl.html

Fred Kaufman wrote: