Usefull error pages for users

Hi,

I'm trying to figure out the following:

We're using client certs for authentication and the authentication works
fine. But when a user connect and isn't able to present his cert of his
cert is revoked he gets an 'DNS or server error' (IE 5.5/6.0). I would
like to redirect this user to a custom error page saying something
intelligent like:

"Certificate revoked"
"No certificate presented"
"Unable to verify certificate"

or server specific errors like:

CRL expired
Unable to verify certificate


How can I set this up?
(Is there a list of specific error codes SSL uses and can I use the
ErrorDocument directive on this. If so where do I find this list of SSL
error codes)

Thanks,

Danny

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Usefull error pages for users

The SSL session is established *before* any HTTP traffic takes place. If the session fails to be set up, the client cannot send any request through to apache, which operates at the HTTP layer. So the server isn't really aware that any request was made and so can't very well generate a response...

I think you'd have to hack into the mod_ssl code to achieve this.

Rgds,

Owen Boyle

>-----Original Message-----
>From: Danny Kruitbosch [mailto:d.kruitbosch@rdc.nl]
>Sent: Mittwoch, 28. August 2002 11:00
>To: modssl-users
>Subject: Usefull error pages for users
>
>
>Hi,
>
>I'm trying to figure out the following:
>
>We're using client certs for authentication and the
>authentication works
>fine. But when a user connect and isn't able to present his
>cert of his
>cert is revoked he gets an 'DNS or server error' (IE 5.5/6.0). I would
>like to redirect this user to a custom error page saying something
>intelligent like:
>
>"Certificate revoked"
>"No certificate presented"
>"Unable to verify certificate"
>
>or server specific errors like:
>
>CRL expired
>Unable to verify certificate
>
>
>How can I set this up?
>(Is there a list of specific error codes SSL uses and can I use the
>ErrorDocument directive on this. If so where do I find this
>list of SSL
>error codes)
>
>Thanks,
>
>Danny
>
>___________________________________________________________ ___________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org
>
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Usefull error pages for users

You can accomplish the desired error message effect like so:
in your httpd.conf
SSLVerifyClient optional

Then write a handler to protect all your pages/images that checks the
client certificate for whatever details you want to test, and redirects
to a page with the error message that you want to display, or allows the
access to proceed.

I'm not sure what happens when the cert is expired, the CRL is out of
date etc, as this will get checked before your handler - testing will
tell you this, but at least you will be able to tell folks with no
client cert that they have to get one!

Such a handler would be a cinch in mod_perl - why not ask in the
mod_perl lists, there might already be such a CPANish beastie. Or cut
your own in PHP, Java etc.

Regards
Jeff


> -----Original Message-----
> From: owner-modssl-users@modssl.org
> [mailto:owner-modssl-users@modssl.org] On Behalf Of Boyle Owen
> Sent: 29 August 2002 09:21
> To: modssl-users@modssl.org
> Subject: RE: Usefull error pages for users
>
>
> The SSL session is established *before* any HTTP traffic
> takes place. If the session fails to be set up, the client
> cannot send any request through to apache, which operates at
> the HTTP layer. So the server isn't really aware that any
> request was made and so can't very well generate a response...
>
> I think you'd have to hack into the mod_ssl code to achieve this.
>
> Rgds,
>
> Owen Boyle
>
> >-----Original Message-----
> >From: Danny Kruitbosch [mailto:d.kruitbosch@rdc.nl]
> >Sent: Mittwoch, 28. August 2002 11:00
> >To: modssl-users
> >Subject: Usefull error pages for users
> >
> >
> >Hi,
> >
> >I'm trying to figure out the following:
> >
> >We're using client certs for authentication and the
> >authentication works
> >fine. But when a user connect and isn't able to present his
> >cert of his
> >cert is revoked he gets an 'DNS or server error' (IE
> 5.5/6.0). I would
> >like to redirect this user to a custom error page saying something
> >intelligent like:
> >
> >"Certificate revoked"
> >"No certificate presented"
> >"Unable to verify certificate"
> >
> >or server specific errors like:
> >
> >CRL expired
> >Unable to verify certificate
> >
> >
> >How can I set this up?
> >(Is there a list of specific error codes SSL uses and can I use the
> >ErrorDocument directive on this. If so where do I find this
> >list of SSL
> >error codes)
> >
> >Thanks,
> >
> >Danny
> >
> >___________________________________________________________ __
> _________
> >Apache Interface to OpenSSL (mod_ssl)
> www.modssl.org
> >User Support Mailing List
> modssl-users@modssl.org
> >Automated List Manager
> majordomo@modssl.org
> >
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org