httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "McGregor, Donald (Don) (CIV)" <mcgr...@nps.edu>
Subject Re: [users@httpd] Client Auth Retries
Date Wed, 03 Jun 2015 23:21:57 GMT
This behavior is puzzling.

*Once the browser goes to the “mistake” page, it won’t renegotiate
the SSL connection with the smart card despite

  - No open https connections to the server
  - The behavior persists across a server restart
  - The behavior persists across a “clear cache” on the client browser (Chrome)

The only way to force it to use the smart card auth appears to be quitting and restarting
the browser.

On Jun 2, 2015, at 3:18 PM, McGregor, Donald (Don) (CIV) <mcgredo@nps.edu<mailto:mcgredo@nps.edu>>
wrote:


I’m trying to set up client authentication using smart cards and be reasonably polite about
auth failures. A typical failure mode is that the user doesn’t have the card inserted; I
should send them to a warning page, then let them retry.

The relevant config file for the top level:

SSLVerifyClient optional

RewriteEngine On
RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS
 RewriteRule .* /mistake/index.html [L]

<Directory /var/www/html/mistake>
  SSLVerifyClient none
</Directory>

Client auth is optional, but if it fails they see the informational
page telling them to use a smart card, in a directory
without smart card auth required.

This successfully rewrites to the informational page when they
don’t have the smart card inserted. The first time in If client auth fails for
some reason they see the error page, and if they do have
the card and authenticate, they see the expected content.

But if they see the error page, then insert the card, and then
try to go to the https://myhost/content, they continue to
see the error page. It seems as if the HTTPS connection
is not being renegotiated or that the SSL_CLIENT_VERIFY
is not being reset to SUCCESS on retry. Or is there a
better way to do this?

Mime
View raw message