----- Original Message -----
Sent: Monday, May 09, 2005 4:03 PM
Subject: Re: SSL error trapping
Here is my final proposal.
I changed it a bit in order to be fully compatible with the
current implementation.
Technical description (based on
2.0.54):
In ssl_io_filter_connect( ) - ssl_engine_io.c - we have 2
cases (at line 1147 and 1173) where the connection may break because of
certificates verification/validation problem: ' return ssl_filter_io_shutdown(filter_ctx, c, 1);
'
I would return only if the error trapping module
(mod_ssl_error) is not loaded.
If it is loaded, I would accept the certificate (continue
the treatment and return DECLINED), as the error will be trapped
later.
It just may be needed to add "apr_table_setn(r->notes, "ssl-access-forbidden",
"1");" ?
So, replace
return
ssl_filter_io_shutdown(filter_ctx, c, 1);
by
if (
is_ssl_error_loaded ) apr_table_setn(r->notes, "ssl-access-forbidden",
"1");
else return
ssl_filter_io_shutdown(filter_ctx, c, 1);
In order to check if the module is loaded, I need a few
lines at the beginning of the function - unless a function exists to check if
a module is loaded ? Currently I coded it in the function:
BOOL
sslErrorRedirected = FALSE;
{ /* Check if
mod_ssl_error is loaded */
extern AP_DECLARE_DATA module
*ap_top_module;
module
*modp;
for ( modp =
ap_top_module; modp; modp = modp->next
)
if (
strcmp(modp->name, "mod_ssl_error.c") == 0 )
{
sslErrorRedirected =
TRUE;
break;
}
}
Error trapping module:
Here is what I implemented:
1. Specific error page
<IfModule mod_ssl_error.c>
SSL_Error_URL
10 "/error/expired.html"
SSL_Error_URL 12
"/error/crl_expired.html"
SSL_Error_URL 23
"/error/revoked.html"
</IfModule>
This directive allow to redirect
to a specific page, in case the error X is detected (X is the OpenSSL error
code).
2. General error page
</IfModule>
This directive allow to redirect to a
specific page, in case an error is detected and is not explicitely trapped
with 1.
The error message is added to the URL:
"/error/ssl_valid.html?error=XXX".
3. No error page
In case the "SSL_Error_DefaultURL" directive In case the "SSL_Error_DefaultURL" directive is not
specified, it generates an error 403 (HTTP_FORBIDDEN).
URL
URL can be
- absolute HTTP => no change
- absolute HTTPS => change HTTPS to HTTP (to avoid
loops)
- relative filename => add "http://hostname", where hostname
comes from the request (request_rec
struct)
Does anybody see possible enhancements ?
Currently it only traps certificate validation problems, but it may be
extended to other non fatal SSL error if any (?)
Does it seem reasonable to include it as a patch in HEAD ?
Thanks for the feedback,
Marc
In case a SSL connection fails because a certificate is
expired, or a CRL is unavailable, etc., the browser receives a SSL error
that results in a cryptic technical error displayed to the user -
sometimes only an error number like in Firefox. In such a situation, the
SSL connection could be established, and a HTTP_FORBIDDEN (403) error
returned. By adding another module, It is even possible to trap the exact
SSL error and redirect to a page with the specific error message ("Your
certificate is expired", "We cannot check the validity of the certificate
- retry later",
).