Redirection on bad cert

Redirection on bad cert

am 05.02.2003 09:08:17 von cybersushi

------=_Part_5049_6275870.1044432497034
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Hi,

As long as you're still in the SSL handshake phase (checking the client certs etc), you're not able to redirect the client to an error page. In this phase you're not talking HTTP yet.

The only way I know to solve this is to allow all clients to pass (by setting SSLClientVerifiy to optional) and passing the result to your webapp (by setting SSLOptions +StdEnvVars) . Than the webapp can decide whether to allow the client in or redirect it to a specific error page.

Hope this helps,

Danny
>Hello all,
>
>Is it possible to redirect user with bad cert to other page?
>As I understand, server doesn't return any error code after ssl error on
>expired cert. Therefore, ErrorDocument directive doesn,t work.
>
>Thank You
>Oleg Lebedev
>
>
>___________________________________________________________ ___________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org

------=_Part_5049_6275870.1044432497034--

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Redirection on bad cert

am 05.02.2003 10:35:46 von Oleg Lyebyedyev

Hello,

> Hi,
>
> As long as you're still in the SSL handshake phase (checking the client
certs etc), you're not able to redirect the client to an error page. In
this phase you're not talking HTTP yet.

Thank you for explanation!

>
> The only way I know to solve this is to allow all clients to pass (by
setting SSLClientVerifiy to optional) and passing the result to your webapp
(by setting SSLOptions +StdEnvVars) . Than the webapp can decide whether to
allow the client in or redirect it to a specific error page.

I did it. O works well when client has no cert at all, but when cert exists
but expired - I received errors: DNS error on MSIE and I/O error on NS.

Error_log contans the following:
[error] mod_ssl: Certificate Verification: Error (10): Certificate has
expired
[error] mod_ssl: SSL handshake failed (server www.host.com:443, client
207.17.47.143) (OpenSSL library error follows)
[error] OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no
certificate returned

The same result with optional_no_ca.

>
> Hope this helps,
>
> Danny
> >Hello all,
> >
> >Is it possible to redirect user with bad cert to other page?
> >As I understand, server doesn't return any error code after ssl error on
> >expired cert. Therefore, ErrorDocument directive doesn,t work.
> >
> >Thank You
> >Oleg Lebedev
> >
> >
> >___________________________________________________________ ___________
> >Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> >User Support Mailing List modssl-users@modssl.org
> >Automated List Manager majordomo@modssl.org
>

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org