httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: [users@httpd] Expired certificates : how to display a contextual message
Date Wed, 07 Apr 2004 09:37:49 GMT
On Tue, Apr 06, 2004 at 05:26:15PM +0200, nicolas.villoutreix@accenture.com wrote:
> When I try to connect to mod_sll with an expired client certificate it
> brings back a 'Page Cannot be Displayed' error message. This is for
> IE.
> 
> Mozilla brings back a contextual pop-up : "could not establish a encrypted connection
.... because your certificate is expired."
> 
> Does anyone know how I can get it to return a 'Your certificate has
> expired' error message that explains a bit more to the client what
> exaclty happened? Can the server do that or is it only dependent on
> the client.

You can do clever things by using "SSLVerifyClient optional", and then
checking whether the client was verified using mod_rewrite, e.g.:

http://www.modssl.org/docs/apachecon2001/slide-019-n.html

(you'd need to use %{LA-U:SSL_...} trick to get this to work with 2.0)

That gives you a generic "client not verified" error page...

I wrote a patch a while back which adds an SSL_CLIENT_V_REMAIN variable,
which lets you do more sophisticated things like this:

http://marc.theaimsgroup.com/?l=apache-httpd-dev&m=105146469801289&q=raw

joe

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message