Jeff:
I have been able to generate a 403 message from the server by doing the
following:
---- start configuration ----
# playing around with SSL stuff (dr)
SSLProtocol all
#SSLCipherSuite HIGH:MEDIUM
<Directory /usr/local/apache/htdocs>
SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
</Directory>
<Location /servlet>
SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
</Location>
ErrorDocument 403 http://www.bitonic.com/error/custom403.html
---- end configuration ----
I have this all within a <VirtualHost> directive and it works fine. Of
course the only problem with it is that there are many things which
could generate a 403 (Forbidden) error, so the custom response can't
specifically say you must have a 128-bit capable browser.
Notice I commentted out the SSLCipherSuite method as leaving that in
does indeed force 128-bit encryption but generates the error message you
refer to.
-dr
> Sorry, but the "Error Document 403 http://www.xxx.com/ssl_error_page.htm"
> directive does not work.
>
> The server does NOT generate a 403 error for a failed SSL connection. If
> the server does generate a standard error code, then I might be able to
> intercept it and send them to another page.
>
> Here are the messages that show up in the error log:
>
> mod_ssl: SSL handshake failed (server ssl.xxxxxxx.com)
> OpenSSL: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
>
> Any other ideas about how I can get this to somehow trigger a redirect to
> my error page.
>
> Thanks,
>
> Jeff
>
>
>
> At 01:31 PM 8/4/00 -0400, you wrote:
> >I haven't looked too deeply into this, but I assume that by adding the
> >directives:
> >
> >SSLCipherSuite
> >SSLRequireSSL
> >ErrorDocument 403
> >
> >at the per-Directory level, you ought to be able to do what you want.
> >Tne ErrorDocument lets you specify either a text message or a re-direct URL.
> >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED]
> > > Sent: Thursday, August 03, 2000 5:38 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: One more time -- How do I set up a redirect or error page for <
> > > 128-bit connections
> > >
> > >
> > > I didn't see any replies to this the first time (and I still haven't
> > > figured it), so let's try again...
> > >
> > > I have my server configured to only accept 128-bit+ SSL/TLS connections.
> > >
> > > How can I configure things to display an error page or do a redirect if a
> > > user attempts to connect at a lower encryption level? I had this working
> > > with Apache-SSL by intercepting the "403" error and displaying an error
> > > page. However, I recently switched to mod_ssl and this trick
> > > does not work.
> > >
> > > The examples I have seen show how to set up different levels of
> > > encryption
> > > for different directories, but this is not what I need. I need
> > > to display
> > > an error page for anyone who attempts a low-encryption connection
> > > on any page.
> > >
> > > Thanks,
> > >
> > > Jeff
--
Douglas B. Robertson, B.Sc. E-Mail : [EMAIL PROTECTED]
Bitonic Solutions Inc. Phone : 403.209.4025
Calgary, Alberta Cell : 403.616.9463
http://www.bitonic.com/
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
