Expired and Revoked Certificates

I have two issues that I wondered if anyone could assist me with:

When I test a revoked client certificate against the CRL I get a
Security Alert Message that says 'The security certificate for this site
has been revoked. This site should not be trusted.'

This sounds like the site that the user wants to access has a revoked
server certificate NOT the client certificate. I have verified in the
error report that the client ssl hand-shake failed due to the CLIENT
CERTIFICATE being revoked, so why does the message say what it does?

Also, when I test an expired client certificate it brings back a 'Page
Cannot be Displayed' error message. Does anyone know how I can get it
to return a 'Your certificate has expired' error message in place of the
'Page Cannot be Displayed' message?

I would appreciate any help that anyone might have to offer. Thanks!
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Expired and Revoked Certificates

On Thu, Jun 20, 2002 at 10:04:40AM -0500, Mary Peterson wrote:
> I have two issues that I wondered if anyone could assist me with:
>
> When I test a revoked client certificate against the CRL I get a
> Security Alert Message that says 'The security certificate for this site
> has been revoked. This site should not be trusted.'

It's a bug with Internet Explorer. I noticed it too.

If you used Mozilla - you'd see it report "your certificate has expired" -
i.e. a correct response.

> Also, when I test an expired client certificate it brings back a 'Page
> Cannot be Displayed' error message. Does anyone know how I can get it
> to return a 'Your certificate has expired' error message in place of the
> 'Page Cannot be Displayed' message?

Pretty hard. As your cert has expired, then there is no channel over which
to send you that HTML :-) Nope, I'm afraid nothing but the client can give
that information.

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Expired and Revoked Certificates

Thank you for your input!

>>> Jason.Haar@trimble.co.nz 06/20/02 06:22PM >>>
On Thu, Jun 20, 2002 at 10:04:40AM -0500, Mary Peterson wrote:
> I have two issues that I wondered if anyone could assist me with:
>
> When I test a revoked client certificate against the CRL I get a
> Security Alert Message that says 'The security certificate for this
site
> has been revoked. This site should not be trusted.'

It's a bug with Internet Explorer. I noticed it too.

If you used Mozilla - you'd see it report "your certificate has
expired" -
i.e. a correct response.

> Also, when I test an expired client certificate it brings back a
'Page
> Cannot be Displayed' error message. Does anyone know how I can get
it
> to return a 'Your certificate has expired' error message in place of
the
> 'Page Cannot be Displayed' message?

Pretty hard. As your cert has expired, then there is no channel over
which
to send you that HTML :-) Nope, I'm afraid nothing but the client can
give
that information.

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org

User Support Mailing List modssl-users@modssl.org

Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org