When using "SSLVerifyClient optional" is there a way (or are there plans for this) to redirect when mod_ssl detects a revoked certificate? What about setting $_SERVER["SSL_CLIENT_VERIFY"] == "FAIL" just as it is when no certificate is installed? In other words, why should the action be any different for no-certificate and revoked-certificate?
BTW, my application is a wrapper app to self manage private SSL certificates. The login pre-test is intended for all cases (without cert, with cert, and revoked cert) and detects by testing $_SERVER["SSL_CLIENT_VERIFY"] == "SUCCESS" (This is in a dedicated directory <Directory "..."> carefully designed to eliminate risk from MitM attacks). This works for the two cases no-cert & valid-cert, but for revoke-cert we get an ugly hard-stop. For example from Firefox: "SSL peer rejected your certificate as revoked". If this isn't appropriate for modssl-users, is rather an apache issue, then advice for an alternate forum is appreciated. Has it already been discussed/requested? (searched a lot but didn't find anything) I would like to build a mod_ssl with both the option to redirect on FAIL (separate options for no-cert and revoked-cert), and limit initiate-renegotiation only by server, not by client. Any help is greatly appreciated. Thanks. ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager majord...@modssl.org
