Re: [users@httpd] Re: Want friendly error message for failed attempt to access a restricted directory
On Wed, May 11, 2016 at 8:50 AM, Marat Khaliliwrote: > On 11/05/16 16:35, Tom Browder wrote: >> >> Is there any way via CGI to check for a valid client cert? If so, I >> could interject another script to do that at the Enter button. > > Client verification state should be visible to a CGI script via SSL_* > environment variables. SSL_CLIENT_VERIFY looks promising. Ah! Thanks, Marat--I'll try that and report back! Best regards, -Tom - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Re: Want friendly error message for failed attempt to access a restricted directory
On 11/05/16 16:35, Tom Browder wrote: Is there any way via CGI to check for a valid client cert? If so, I could interject another script to do that at the Enter button. Client verification state should be visible to a CGI script via SSL_* environment variables. SSL_CLIENT_VERIFY looks promising. -- With Best Regards, Marat Khalili - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Re: Want friendly error message for failed attempt to access a restricted directory
On Wednesday, May 11, 2016, Marat Khaliliwrote: > There's no code at all. HTTP connection is not even established. I don't > think it can be easily solved. You have to ALLOW connections from clients > without valid certificate in order to send them your custom message, and > resulting reduction of security probably does not worth it. Actually I do allow them to the site: https://usafa-1965.org and they can get to the restricted area entry page: https://usafa-1965.org/login/index.html but they presently get an error when they click on the "Enter Restricted Area" button which calls a CGI script in the restricted area. Is there any way via CGI to check for a valid client cert? If so, I could interject another script to do that at the Enter button. -Tom - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Re: Want friendly error message for failed attempt to access a restricted directory
There's no code at all. HTTP connection is not even established. I don't think it can be easily solved. You have to ALLOW connections from clients without valid certificate in order to send them your custom message, and resulting reduction of security probably does not worth it. -- With Best Regards, Marat Khalili On 11/05/16 15:28, Tom Browder wrote: On Wed, May 11, 2016 at 7:19 AM, Tom Browderwrote: I am running Apache 2.4.18 and have one site (https://usafa-1965.org) that requires a client certificate to access a restricted directory ("Classmates Only"). How can I return a friendlier message than, e.g., Chrome emits when a user without a valid certificate attempts to access the restricted directory? ... I think I can do something like this: SSLOptions +StrictRequire SSLVerifyClient require # do NOT allow dir listings Options -Indexes # error 403 is "Forbidden" ErrorDocument 403 "Sorry, you must have a valid client certificate.\nContact your CS Rep to get one." That doesn't work, so maybe I have the wrong error code. How can I see what error code is actually being returned? -Tom - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Re: Want friendly error message for failed attempt to access a restricted directory
On Wed, May 11, 2016 at 7:19 AM, Tom Browderwrote: > I am running Apache 2.4.18 and have one site (https://usafa-1965.org) > that requires a client certificate to access a restricted directory > ("Classmates > Only"). How can I return a friendlier message than, e.g., Chrome > emits when a user without a valid certificate attempts to access the > restricted directory? ... > I think I can do something like this: > > >SSLOptions +StrictRequire >SSLVerifyClient require ># do NOT allow dir listings >Options -Indexes ># error 403 is "Forbidden" >ErrorDocument 403 "Sorry, you must have a valid client > certificate.\nContact your CS Rep to get one." > That doesn't work, so maybe I have the wrong error code. How can I see what error code is actually being returned? -Tom - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org