Customizing error message when using certificate based authentification

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi!

I have set up certificate based authentication using

SSLVerifyClient require

in my httpd.conf. Everything works fine but if a client does not have a
valid certificate Firefox gives an obscure error message:

"www.example.com has received an incorrect or unexpected message. Error
Code: -12227"

Is there a way to give the client a normal error page, like e.g. for 404
errors?

Best regards!
Christian

- --
For more than 4 generations the IT Professionals were the guardians
of quality and stability in software. Before the dark times.
Before Microsoft...

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHfLeiCNjA0nfhW7wRAgUMAKDHF5oLVSLa7YkSoDt7bYmRvFOAtwCg zgwS
7C8W5RdIMDHAeA3PYIJOBPk=
=XlfO
-----END PGP SIGNATURE-----
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Customizing error message when using certificate based authentification

Christian Nolte wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi!
>
> I have set up certificate based authentication using
>
> SSLVerifyClient require
>
> in my httpd.conf. Everything works fine but if a client does not have a
> valid certificate Firefox gives an obscure error message:
>
> "www.example.com has received an incorrect or unexpected message. Error
> Code: -12227"
>
> Is there a way to give the client a normal error page, like e.g. for 404
> errors?
>
> Best regards!
> Christian
>
> - --
> For more than 4 generations the IT Professionals were the guardians
> of quality and stability in software. Before the dark times.
> Before Microsoft...
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iD8DBQFHfLeiCNjA0nfhW7wRAgUMAKDHF5oLVSLa7YkSoDt7bYmRvFOAtwCg zgwS
> 7C8W5RdIMDHAeA3PYIJOBPk=
> =XlfO
> -----END PGP SIGNATURE-----
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org


II. Tricks
1. Redirect all HTTP requests to HTTPS
a. Load mod_rewrite (see:
http://httpd.apache.org/docs/1.3/mod/mod_rewrite.html )
b. Add the following rule to your non-HTTPS server configuration
(httpd.conf):
# Require HTTPS
RewriteEngine on
RewriteRule ^/(.*) https://${SERVER_NAME}/$1 [redirect=permanent]

2. Redirect all requests that fail to authenticate to an error page
a. Load mod_rewrite (see:
http://httpd.apache.org/docs/1.3/mod/mod_rewrite.html )
b. Add the following rule to your HTTPS server configuration
(mod_ssl.conf):
i. Apache 1.3.x: (NOTE: Internet Explorer does not work
correctly with Apache 1.3.x and mod_ssl when SSLVerifyClient
is set to anything except "none")
# Redirect client-verification-failures to a specific
# page.
RewriteEngine on
RewriteCond %{SSL_CLIENT_VERIFY} !^SUCCESS$
RewriteRule . /error-pages/pki/pki-invalid.html [last]
i. Apache 2.2.x:
# Redirect client-verification-failures to a specific
# page.
RewriteEngine on
RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
RewriteRule . /error-pages/pki/pki-invalid.html [last]
c. Change "SSLVerifyClient" to "optional" (NOTE: Internet Explorer
does not work correctly with Apache 1.3.x and mod_ssl when
SSLVerifyClient is set to anything except "none")
SSLVerifyClient optional

--
Roy Keene (Contractor)
Office of Network Management (Code 7030.8)
Naval Research Laboratory
Stennis Space Center, MS 39529
DSN 828-4827

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org