SSLVerifyClient optional redirect or be graceful upon revoked certificate

SSLVerifyClient optional redirect or be graceful upon revoked certificate

am 22.01.2010 16:10:37 von Jaz

When using "SSLVerifyClient optional" is there a way (or are there plans =
for this) to redirect when mod_ssl detects a revoked certificate? What ab=
out setting $_SERVER["SSL_CLIENT_VERIFY"] == "FAIL" just as it is whe=
n no certificate is installed? In other words, why should the action be a=
ny different for no-certificate and revoked-certificate?

BTW, my application is a wrapper app to self manage private SSL certifica=
tes. The login pre-test is intended for all cases (without cert, with cer=
t, and revoked cert) and detects by testing $_SERVER["SSL_CLIENT_VERIFY"]=
== "SUCCESS" (This is in a dedicated directory car=
efully designed to eliminate risk from MitM attacks). This works for the =
two cases no-cert & valid-cert, but for revoke-cert we get an ugly hard-s=
top. For example from Firefox: "SSL peer rejected your certificate as rev=
oked".

If this isn't appropriate for modssl-users, is rather an apache issue, th=
en advice for an alternate forum is appreciated. Has it already been disc=
ussed/requested? (searched a lot but didn't find anything)

I would like to build a mod_ssl with both the option to redirect on FAIL =
(separate options for no-cert and revoked-cert), and limit initiate-reneg=
otiation only by server, not by client. Any help is greatly appreciated.

Thanks.=20




____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: SSLVerifyClient optional redirect or be graceful upon revoked certificate

am 22.01.2010 18:59:29 von leanmeandonothingmachine

I proposed this a while back but never got any responses.

https://issues.apache.org/bugzilla/show_bug.cgi?id=46897

-----Original Message-----
From: owner-modssl-users@modssl.org [mailto:owner-modssl-users@modssl.org]
On Behalf Of Jaz
Sent: Friday, January 22, 2010 9:11 AM
To: modssl-users@modssl.org
Subject: SSLVerifyClient optional redirect or be graceful upon revoked
certificate

When using "SSLVerifyClient optional" is there a way (or are there plans for
this) to redirect when mod_ssl detects a revoked certificate? What about
setting $_SERVER["SSL_CLIENT_VERIFY"] == "FAIL" just as it is when no
certificate is installed? In other words, why should the action be any
different for no-certificate and revoked-certificate?

BTW, my application is a wrapper app to self manage private SSL
certificates. The login pre-test is intended for all cases (without cert,
with cert, and revoked cert) and detects by testing
$_SERVER["SSL_CLIENT_VERIFY"] == "SUCCESS" (This is in a dedicated directory
carefully designed to eliminate risk from MitM attacks).
This works for the two cases no-cert & valid-cert, but for revoke-cert we
get an ugly hard-stop. For example from Firefox: "SSL peer rejected your
certificate as revoked".

If this isn't appropriate for modssl-users, is rather an apache issue, then
advice for an alternate forum is appreciated. Has it already been
discussed/requested? (searched a lot but didn't find anything)

I would like to build a mod_ssl with both the option to redirect on FAIL
(separate options for no-cert and revoked-cert), and limit
initiate-renegotiation only by server, not by client. Any help is greatly
appreciated.

Thanks.




____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org