Lighttpd

lighty needs to know whether to request a client certificate before it sees the actual request (i.e. after the TLS Client Hello). Matching the hostname should work when the client supports SNI.

Thanks for your reply, ssl.verifyclient works fine if applied to the whole document root (no $HTTP["url"] applied) .
Moreover the folder condition $HTTP["url"] works fine with a rule like url.access-deny (for example) also inside $SERVER["socket"] condition.

Then they work fine when applied separetedly.

In my configuration I want to use them together : I need to ssl.verifyclient a specific folder of my document root as follow :

$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/certs/lighttpd.pem"
server.errorlog = "/var/log/lighttpd/serror.log"
accesslog.filename = "/var/log/lighttpd/saccess.log"

$HTTP["url"] =~ "^/login/" {
       ssl.ca-file = "/etc/lighttpd/certs/rootCA.crt" 
       ssl.verifyclient.activate = "enable" 
       ssl.verifyclient.enforce = "enable" 
       ssl.verifyclient.username = "SSL_CLIENT_S_DN_CN" 
       ssl.verifyclient.depth = 1
    }

}

Unfortunately it doesn't work that is no ssl.verifyclient is performed when accessing the folder "login".
Can I use these contitions together or something is wrong in my configuration?
Thanks.

See #2245. This is likely to be part of lighttpd 1.4.46. Testing and feedback welcome. Some patches with this functionality will be pushed to lighttpd git master in the next week or two.