On Mon, Feb 22, 1999, Alfredo Raul Pena wrote:
> Suppose I request client suthentication on a server basis and the user
> don't have a valid certificate for my server. Is there a way to display
> some sort of Forbidden message instead of closing the connection?
Usually the SSL alert mod_ssl+OpenSSL sends pops up a message box in the
browsers (at least in NS) saying that the browser cannot verify the
certificate, etc. But when you use "SSLVerifyClient require" you cannot
provide any HTML pages, because the whole authentication stuff is done
_before_ any HTTP is spoken.
When you really want to display such a error page, you can do the following:
Instead of verifying the client certs by checking the signature of the issuer
implicitly through mod_ssl+OpenSSL you can verify it manually via an
SSLRequire expression. This is evaluated after the HTTP request happended, but
before the HTTP response is sent. When the SSLRequire expression expands to
false, a forbidden is forced by mod_ssl. And I'm sure you can intercept this
with an ErrorDocument.
But the whole situation is interesting. I think I should add a solution to the
HowTo chapter of the User Manual for this stuff.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
