httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Stern - Approach <>
Subject Bug 35083 - SSL error trapping
Date Mon, 08 Jan 2007 13:15:44 GMT
I patched mod_ssl to trap SSL errors related to certificate validation, 
allow the SSL connection anyway, then redirect to an error page.
Although this works well, this is not implemented the best way, and I 
got some feedback on how to do it better.
Before implementing it, I'd like to check some points, after an in-depth 

1. The current idea is to trap validation-related errors, like 
certificate expiration/revocation.
Shouldn't we also trap negotiation errors, like incompatible 
ciphersuites and protocols between browser and server ?
Maybe other ones ?

2. Recommendations are to use one directive to relax the check on 
certificates (or on ciphersuites, ...), and other ones to trap errors by 
checking environment variables and redirect the 403 errors to a specific 
a. Doesn't this introduce a security risk, in case the check on 
certificates is relaxed and the other directives are not set (or changed) ?
   This is against the principle of secure by installation ...
b. This solution would redirect all errors to the same page.
   Isn't it better to trap the error and redirect to a specific 
(customisable) page ?
   Note that this trapping could be implemented in a separate module.

I'd like to work soon on this; if you want to participate, please 
contact me asap.


*/Marc Stern/*

Approach Belgium <>
Avenue Einstein, 2A
B-1348 Louvain-la-Neuve

Tel: +32 475 68 29 10
Fax: +32 10 83 22 55

1. This message is intended for the use of the addressee only and may 
contain information that is privileged and confidential.
2. If you are not the intended recipient, you are notified that any 
dissemination of this Communication is strictly prohibited.
3. If you have received this communication in error, please notify us 
immediately by return of this e-mail.
4. E-mail quotations and proposals are for information only, and are 
subject to confirmation by the Signature of the appropriate contractual 
documentation by the authorized persons or both

View raw message