httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <>
Subject Re: SSL error trapping
Date Tue, 10 May 2005 06:45:33 GMT
The command
        apr_table_setn(r->notes, "ssl-access-forbidden", "1");
is incorrect, as we don't have access to the request (request_rec struct).
I suppose we could find it, but do we really need this line ?
  ----- Original Message ----- 
  Sent: Monday, May 09, 2005 4:03 PM
  Subject: Re: SSL error trapping

  Here is my final proposal.
  I changed it a bit in order to be fully compatible with the current implementation.

  Technical description (based on 2.0.54):
  In ssl_io_filter_connect( ) - ssl_engine_io.c - we have 2 cases (at line 1147 and 1173)
where the connection may break because of certificates verification/validation problem:  '
return ssl_filter_io_shutdown(filter_ctx, c, 1); '

  I would return only if the error trapping module (mod_ssl_error) is not loaded.
  If it is loaded, I would accept the certificate (continue the treatment and return DECLINED),
as the error will be trapped later.
  It just may be needed to add "apr_table_setn(r->notes, "ssl-access-forbidden", "1");"
  So, replace
      return ssl_filter_io_shutdown(filter_ctx, c, 1); 
       if ( is_ssl_error_loaded ) apr_table_setn(r->notes, "ssl-access-forbidden", "1");
       else return ssl_filter_io_shutdown(filter_ctx, c, 1); 

  In order to check if the module is loaded, I need a few lines at the beginning of the function
- unless a function exists to check if a module is loaded ? Currently I coded it in the function:
      BOOL sslErrorRedirected = FALSE;
      { /* Check if mod_ssl_error is loaded */
          extern AP_DECLARE_DATA module *ap_top_module;
          module *modp;
          for ( modp = ap_top_module; modp; modp = modp->next )
              if ( strcmp(modp->name, "mod_ssl_error.c") == 0 ) {
                  sslErrorRedirected = TRUE;

  Error trapping module:
  Here is what I implemented:

  1. Specific error page
  <IfModule mod_ssl_error.c>
  SSL_Error_URL  10   "/error/expired.html"
  SSL_Error_URL  12   "/error/crl_expired.html"
  SSL_Error_URL  23   "/error/revoked.html"
  This directive allow to redirect to a specific page, in case the error X is detected (X
is the OpenSSL error code).

  2. General error page
  <IfModule mod_ssl_error.c>
  SSL_Error_DefaultURL /error/ssl_valid.html
  This directive allow to redirect to a specific page, in case an error is detected and is
not explicitely trapped with 1.
  The error message is added to the URL: "/error/ssl_valid.html?error=XXX".

  3. No error page
  In case the "SSL_Error_DefaultURL" directive In case the "SSL_Error_DefaultURL" directive
is not specified, it generates an error 403 (HTTP_FORBIDDEN).

  URL can be
   - absolute HTTP => no change 
   - absolute HTTPS => change HTTPS to HTTP (to avoid loops) 
   - relative filename => add "http://hostname", where hostname comes from the request
(request_rec struct)

  Does anybody see possible enhancements ?
  Currently it only traps certificate validation problems, but it may be extended to other
non fatal SSL error if any (?)

  Does it seem reasonable to include it as a patch in HEAD ?

  Thanks for the feedback,


      In case a SSL connection fails because a certificate is expired, or a CRL is unavailable,
etc., the browser receives a SSL error that results in a cryptic technical error displayed
to the user - sometimes only an error number like in Firefox. In such a situation, the SSL
connection could be established, and a HTTP_FORBIDDEN (403) error returned. By adding another
module, It is even possible to trap the exact SSL error and redirect to a page with the specific
error message ("Your certificate is expired", "We cannot check the validity of the certificate
- retry later", .).
View raw message