Re: Redirection on bad cert
Hello, Hi, As long as you're still in the SSL handshake phase (checking the client certs etc), you're not able to redirect the client to an error page. In this phase you're not talking HTTP yet. Thank you for explanation! The only way I know to solve this is to allow all clients to pass (by setting SSLClientVerifiy to optional) and passing the result to your webapp (by setting SSLOptions +StdEnvVars) . Than the webapp can decide whether to allow the client in or redirect it to a specific error page. I did it. O works well when client has no cert at all, but when cert exists but expired - I received errors: DNS error on MSIE and I/O error on NS. Error_log contans the following: [error] mod_ssl: Certificate Verification: Error (10): Certificate has expired [error] mod_ssl: SSL handshake failed (server www.host.com:443, client 207.17.47.143) (OpenSSL library error follows) [error] OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned The same result with optional_no_ca. Hope this helps, Danny Hello all, Is it possible to redirect user with bad cert to other page? As I understand, server doesn't return any error code after ssl error on expired cert. Therefore, ErrorDocument directive doesn,t work. Thank You Oleg Lebedev __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Redirection on bad cert
Hello all, Is it possible to redirect user with bad cert to other page? As I understand, server doesn't return any error code after ssl error on expired cert. Therefore, ErrorDocument directive doesn,t work. Thank You Oleg Lebedev __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Error on expired date of cert
Ok. Is there exists some way to redirect user with expired cert to other page? Hello, I have following option: SSLVerifyClient optional (optional_no_ca - same result) My servlet analizes data from cert. With correct certs all is ok. Somebody without cert also has access to my page and I know that he hasn't a cert, but when expired cert is used then server error is occured. What is problem? Can I create ssl configuration to give access for all certs and to get cert info. Currently that is not possible afaict. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Error on expired date of cert
Hello, I have following option: SSLVerifyClient optional (optional_no_ca - same result) My servlet analizes data from cert. With correct certs all is ok. Somebody without cert also has access to my page and I know that he hasn't a cert, but when expired cert is used then server error is occured. What is problem? Can I create ssl configuration to give access for all certs and to get cert info. Thank You Oleg Lebedev __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]