How does client cert authentication work on per directory basis?

Question

Based on the documentation Apache allows to request a client cert authentication for one directory and don't request it for another directory. http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html#arbitraryclients

How is it possible?

I assumed that first TLS/SSL does a handshake (including client certificate validation) and only after it, HTTP request is sent over secured channel. And this HTTP request contains a URL.

So, it looks like to get a URL (a diretory) you need to do (or skip) client certificate authentication.

So, it's not clear for me, how can Apache check URL first and decide later whether to request a client cert authentication or not.

Answer 1

It uses SSL/TLS renegotiation: the server sends a TLS Hello Request message to ask the client to trigger a new handshake by sending a new Client Hello message (and this time the server will send a Certificate Request after its Server Hello message).

The Hello Request message could in principle happen at any time during the HTTP exchange. For this particular feature, the server sends it just after receiving the request (therefore knowing which resource was requested), but before sending its response.