Client certificate verification && Error handling in apache2 with mod_ssl

This is a multi-part message in MIME format.

------=_NextPart_000_0060_01C422D6.7766FB80
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hello,

Does mod_ssl support any type of error handling for the client =
certificate authentification?=20
I'd really like to have another page load than a server not found one =
when a client presents an invalid certificate.

If not, is it possible to bypass some verifications such as the cert =
date, so my servlet engine can check that itself
and display an appropriated error page instead of the server not found =
one?=20
So Apache would just take the certificate, not check anything, export =
it, and I'll handle all cert related errors somewhere else.

Thanks,

Michael Lamot


------=_NextPart_000_0060_01C422D6.7766FB80
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable



charset=3Diso-8859-1">

Encryption and weblogic module

Hello everyone.

I am quite new to ssl, so I have a question.

While a connection between a pc client and
a web server is encrypted, I do not know if
the connection that may result thereafter is
encrypted too, that is, if ssl.conf contain
an entry that look like this:


SetHandler weblogic-handler
WebLogicCluster host1.dom.dom.se:99999,host2.dom.dom.se:99999
ErrorPage /xx/xxx/xxx/xxx/errpage.html


Is the data that is sent and received between the
webserver and host1/2.dom.dom.se also encrypted, and
is there a way to check that ?

Or is the question about encryption something that
(in this case) the weblogic module (that Apache uses)
is responsible for ?


Regards

Anders





____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Encryption and weblogic module

AFAIK the apache-weblogic connection isn't encrypted.
And yes if encrypted it would be weblogic modules
responsibilty. You can check with a tcpdump (use
ethereal on Linux/Unix). You could use Stunnel to
create an SSL tunnel between the apache and weblogic
boxes. How well this works I don't know.

Regards
Matt

--- Ringaby Anders wrote:
>
>
> Hello everyone.
>
> I am quite new to ssl, so I have a question.
>
> While a connection between a pc client and
> a web server is encrypted, I do not know if
> the connection that may result thereafter is
> encrypted too, that is, if ssl.conf contain
> an entry that look like this:
>
>
> SetHandler weblogic-handler
> WebLogicCluster
> host1.dom.dom.se:99999,host2.dom.dom.se:99999
> ErrorPage /xx/xxx/xxx/xxx/errpage.html
>
>
> Is the data that is sent and received between the
> webserver and host1/2.dom.dom.se also encrypted, and
> is there a way to check that ?
>
> Or is the question about encryption something that
> (in this case) the weblogic module (that Apache
> uses)
> is responsible for ?
>
>
> Regards
>
> Anders
>
>
>
>
>
>
____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl)
> www.modssl.org
> User Support Mailing List
> modssl-users@modssl.org
> Automated List Manager
majordomo@modssl.org





__________________________________
Do you Yahoo!?
Yahoo! Tax Center - File online by April 15th
http://taxes.yahoo.com/filing.html
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Encryption and weblogic module

Weblogic used to provide an ssl version of the mod_wl module, I think it
was named mod_wl_ssl. Obtaining the correct mod_wl_ssl may be dependent
on which version of weblogic and apache are being used.

We have run this configuration on Apache 1.x

client --> FireWall --> Apache --> Firewall ---> Weblogic
only port 443 mod_wl_ssl port nnnn
is configurable

David

-----Original Message-----
From: Daniel Lopez [mailto:daniel@rawbyte.com]=20
Sent: Friday, April 16, 2004 6:48 AM
To: modssl-users@modssl.org
Subject: Re: Encryption and weblogic module


client ----(a)-----> Apache -----(b)----> Weblogic

If the client connects to Apache using SSL, (a) will be encrypted but
(b)
will not (unless you can configure mod_wl to use SSL, which I dont
believe
you can). the assumption is that (b) is occurring over a private,
trusted
network. If you need to encrypt (b) I would suggest either setting up a
VPN
or using Apache as a reverse proxy with SSL (the weblogic protocol in
modern
versions is basically HTTP with a couple of extra headers)

cheers

Daniel

> Hello everyone.
>=20
> I am quite new to ssl, so I have a question.
>=20
> While a connection between a pc client and
> a web server is encrypted, I do not know if
> the connection that may result thereafter is
> encrypted too, that is, if ssl.conf contain
> an entry that look like this:
>=20
>
> SetHandler weblogic-handler
> WebLogicCluster host1.dom.dom.se:99999,host2.dom.dom.se:99999
> ErrorPage /xx/xxx/xxx/xxx/errpage.html
>
>=20
> Is the data that is sent and received between the
> webserver and host1/2.dom.dom.se also encrypted, and
> is there a way to check that ?
>=20
> Or is the question about encryption something that
> (in this case) the weblogic module (that Apache uses)
> is responsible for ?
>=20
>=20
> Regards
>=20
> Anders
>=20
>=20
>
--
Teach Yourself Apache 2 -- http://apacheworld.org/ty24/
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Encryption and weblogic module

client ----(a)-----> Apache -----(b)----> Weblogic

If the client connects to Apache using SSL, (a) will be encrypted but (b)
will not (unless you can configure mod_wl to use SSL, which I dont believe
you can). the assumption is that (b) is occurring over a private, trusted
network. If you need to encrypt (b) I would suggest either setting up a VPN
or using Apache as a reverse proxy with SSL (the weblogic protocol in modern
versions is basically HTTP with a couple of extra headers)

cheers

Daniel

> Hello everyone.
>
> I am quite new to ssl, so I have a question.
>
> While a connection between a pc client and
> a web server is encrypted, I do not know if
> the connection that may result thereafter is
> encrypted too, that is, if ssl.conf contain
> an entry that look like this:
>
>
> SetHandler weblogic-handler
> WebLogicCluster host1.dom.dom.se:99999,host2.dom.dom.se:99999
> ErrorPage /xx/xxx/xxx/xxx/errpage.html
>
>
> Is the data that is sent and received between the
> webserver and host1/2.dom.dom.se also encrypted, and
> is there a way to check that ?
>
> Or is the question about encryption something that
> (in this case) the weblogic module (that Apache uses)
> is responsible for ?
>
>
> Regards
>
> Anders
>
>
>
--
Teach Yourself Apache 2 -- http://apacheworld.org/ty24/
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Encryption and weblogic module

But that module is for when Apache has been compiled with SSL (EAPI
patches) does not provide SSL support.

> Weblogic used to provide an ssl version of the mod_wl module, I think it
> was named mod_wl_ssl. Obtaining the correct mod_wl_ssl may be dependent
> on which version of weblogic and apache are being used.
>
> We have run this configuration on Apache 1.x
>
> client --> FireWall --> Apache --> Firewall ---> Weblogic
> only port 443 mod_wl_ssl port nnnn
> is configurable
>
> David
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org