httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stephane Bailliez <sbaill...@apache.org>
Subject Re: SSL error trapping
Date Fri, 29 Apr 2005 12:20:11 GMT
sternmarc@lycos.co.uk wrote:
> In case a SSL connection fails because a certificate is expired, or a 
> CRL is unavailable, etc., the browser receives a SSL error that results 
> in a cryptic technical error displayed to the user - sometimes only an 
> error number like in Firefox. In such a situation, the SSL connection 
> could be established, and a HTTP_FORBIDDEN (403) error returned. By 
> adding another module, It is even possible to trap the exact SSL error 
> and redirect to a page with the specific error message ("Your 
> certificate is expired", "We cannot check the validity of the 
> certificate - retry later", ...).

Nice. Indeed this is one of the major problem those days, we're going to 
certificates and ssl everywhere but the HTTP handling of 
authentification is very poor and we're drowning under user questions.

> 3. To check the certification verification process, I can use the string 
> "SSL_CLIENT_VERIFY", but isn't there any real error code (int) available 
> ? It would be cleaner to use the exact OpenSSL error codes than a 
> string. I cannot find this code, even inside 'ssl_hook_Access( )' in 
> ssl_engine_kernel.c. Awk ...

If I'm not wrong, I think what you're looking for is in 
${openssl_home}/crypto/x509/x509_vfy.h

Look for :

#define		X509_V_OK	0
[... error codes ....]


Mime
View raw message