You can accomplish the desired error message effect like so: in your httpd.conf SSLVerifyClient optional
Then write a handler to protect all your pages/images that checks the client certificate for whatever details you want to test, and redirects to a page with the error message that you want to display, or allows the access to proceed. I'm not sure what happens when the cert is expired, the CRL is out of date etc, as this will get checked before your handler - testing will tell you this, but at least you will be able to tell folks with no client cert that they have to get one! Such a handler would be a cinch in mod_perl - why not ask in the mod_perl lists, there might already be such a CPANish beastie. Or cut your own in PHP, Java etc. Regards Jeff > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Boyle Owen > Sent: 29 August 2002 09:21 > To: [EMAIL PROTECTED] > Subject: RE: Usefull error pages for users > > > The SSL session is established *before* any HTTP traffic > takes place. If the session fails to be set up, the client > cannot send any request through to apache, which operates at > the HTTP layer. So the server isn't really aware that any > request was made and so can't very well generate a response... > > I think you'd have to hack into the mod_ssl code to achieve this. > > Rgds, > > Owen Boyle > > >-----Original Message----- > >From: Danny Kruitbosch [mailto:[EMAIL PROTECTED]] > >Sent: Mittwoch, 28. August 2002 11:00 > >To: modssl-users > >Subject: Usefull error pages for users > > > > > >Hi, > > > >I'm trying to figure out the following: > > > >We're using client certs for authentication and the > >authentication works > >fine. But when a user connect and isn't able to present his > >cert of his > >cert is revoked he gets an 'DNS or server error' (IE > 5.5/6.0). I would > >like to redirect this user to a custom error page saying something > >intelligent like: > > > >"Certificate revoked" > >"No certificate presented" > >"Unable to verify certificate" > > > >or server specific errors like: > > > >CRL expired > >Unable to verify certificate > > > > > >How can I set this up? > >(Is there a list of specific error codes SSL uses and can I use the > >ErrorDocument directive on this. If so where do I find this > >list of SSL > >error codes) > > > >Thanks, > > > >Danny > > > >_____________________________________________________________ > _________ > >Apache Interface to OpenSSL (mod_ssl) > www.modssl.org > >User Support Mailing List > [EMAIL PROTECTED] > >Automated List Manager > [EMAIL PROTECTED] > > > ______________________________________________________________________ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
