I'd like to serve the same website with different TLS certificate for different ranges of source IP addresses. For instance, on one block, I expect users to connect to browsers where a company's local CA is installed in the client's root trust store. On another block, there will be another group of users who don't have that local CA, so I'd like to present a self-signed cert or one signed by their company's CA. On yet another block will be a M2M connection where simple self-signed cert is all that's needed.
I've read about using ssl_multicert.config in Apache Traffic Server, or using Server Name Indication (SNI), but those all deal with the destination IP (server), not the source IP (client).
I know I could run Apache on a separate port for each certificate and then play with the REDIRECT jump target in iptables. I'm looking for a clean way to do this using just Apache (2.4) configuration options. Anyone know?