re: client certificate authentication and IE friendly errors
This is a discussion on re: client certificate authentication and IE friendly errors within the Modssl Users forums, part of the Web Server and Related Forums category; Hello, I'm having a problem with Internet Explorer's "Show friendly HTTP error messages" in response to ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
05-22-2007
|
|||
|
|||
re: client certificate authentication and IE friendly errors
Hello,
I'm having a problem with Internet Explorer's "Show friendly HTTP error messages" in response to a 403 generated by an SSLRequire directive, when trying client certificate authentication. I've come across some information about over-riding the browser config by setting the size of the message [greater than 512 bytes for a 403], which doesn't appear to work. Unfortunately I can't rely on users having unchecked this setting in the browser options. The config directives that I'm using are an SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS" in conjunction with an SSLVerifyClient Optional, both within the same Location directive. I've combined these because there is a likelihood that the resource will be accessed by clients without certificates, and I'm trying to trap this in as friendly a way as possible. Everything works fine in my testing [good cert, no cert, wrong cert], except when I try to hit the server with an expired client certificate in IE. Because of some testing constraints around where I get the certificates from I've been simulating expiry by adjusting the time on both the desktop and server - just the client cert is expired at the chosen time; not the issuing CA cert or web server's. With an expired client certificate, my ErrorDocument 403 is correctly displayed if the 'show friendly messages' is unchecked, but the browser shows a 'page cannot be displayed' error if the setting is enabled. I can't see anything in the logs to distinguish the two states. A reload on the browser correctly renders the error. Is this something that anyone else has come across? I've checked the archives, and although people have cited problems with friendly errors [http://marc.info/?l=apache-modssl&m=...001204754&w=2] the circumstances seem different. Is there a saner way of handling the access attempts from browsers attempting to access the same resource both with and without client certs? Version info: - desktop: XP SP2, IE version 6.0.29... - server: Suse Linux 10.1; Apache 1.3.37; mod_ssl 2.8.28-1.3.33; openssl 0.9.8e I have the SetEnvIf HTTP_USER_AGENT ".*MSIE.*" ... enabled as per default config. SSLCACertificateFile has a single entry for the issuing CA. Thanks, Donal __________________________________________________ ____________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager majordomo@modssl.org 
|
Linear Mode
