Re: SSL error trapping

[sternmarc]

Here is my final proposal. I changed it a bit in order to be fully compatible with the current implementation.   Technical description (based on 2.0.54): In ssl_io_filter_connect( ) - ssl_engine_io.c - we have 2 cases (at line 1147 and 1173) where the connection may break because of certificates verification/validation problem:  ' return ssl_filter_io_shutdown(filter_ctx, c, 1); ' I would return only if the error trapping module (mod_ssl_error) is not loaded. If it is loaded, I would accept the certificate (continue the treatment and return DECLINED), as the error will be trapped later. It just may be needed to add "apr_table_setn(r->notes, "ssl-access-forbidden", "1");" ? So, replace     return ssl_filter_io_shutdown(filter_ctx, c, 1); by      if ( is_ssl_error_loaded ) apr_table_setn(r->notes, "ssl-access-forbidden", "1");      else return ssl_filter_io_shutdown(filter_ctx, c, 1);   In order to check if the module is loaded, I need a few lines at the beginning of the function - unless a function exists to check if a module is loaded ? Currently I coded it in the function:     BOOL sslErrorRedirected = FALSE;     { /* Check if mod_ssl_error is loaded */         extern AP_DECLARE_DATA module *ap_top_module;         module *modp;         for ( modp = ap_top_module; modp; modp = modp->next )             if ( strcmp(modp->name, "mod_ssl_error.c") == 0 ) {                 sslErrorRedirected = TRUE;                 break;             }     }     Error trapping module: Here is what I implemented:   1. Specific error page <IfModule mod_ssl_error.c> SSL_Error_URL  10   "/error/expired.html" SSL_Error_URL  12   "/error/crl_expired.html" SSL_Error_URL  23   "/error/revoked.html" </IfModule> This directive allow to redirect to a specific page, in case the error X is detected (X is the OpenSSL error code).   2. General error page <IfModule mod_ssl_error.c> SSL_Error_DefaultURL /error/ssl_valid.html </IfModule> This directive allow to redirect to a specific page, in case an error is detected and is not explicitely trapped with 1. The error message is added to the URL: "/error/ssl_valid.html?error=XXX".   3. No error page In case the "SSL_Error_DefaultURL" directive In case the "SSL_Error_DefaultURL" directive is not specified, it generates an error 403 (HTTP_FORBIDDEN).   URL URL can be  - absolute HTTP => no change  - absolute HTTPS => change HTTPS to HTTP (to avoid loops)  - relative filename => add "http://hostname", where hostname comes from the request (request_rec struct)       Does anybody see possible enhancements ? Currently it only traps certificate validation problems, but it may be extended to other non fatal SSL error if any (?)   Does it seem reasonable to include it as a patch in HEAD ?   Thanks for the feedback,   Marc   In case a SSL connection fails because a certificate is expired, or a CRL is unavailable, etc., the browser receives a SSL error that results in a cryptic technical error displayed to the user - sometimes only an error number like in Firefox. In such a situation, the SSL connection could be established, and a HTTP_FORBIDDEN (403) error returned. By adding another module, It is even possible to trap the exact SSL error and redirect to a page with the specific error message ("Your certificate is expired", "We cannot check the validity of the certificate - retry later", .).