Hello,

I'm having a problem with Internet Explorer's "Show friendly HTTP error
messages" in response to a 403 generated by an SSLRequire directive, when
trying client certificate authentication.

I've come across some information about over-riding the browser config by
setting the size of the message [greater than 512 bytes for a 403], which
doesn't appear to work. Unfortunately I can't rely on users having unchecked
this setting in the browser options.

The config directives that I'm using are an SSLRequire %{SSL_CLIENT_VERIFY} eq
"SUCCESS" in conjunction with an SSLVerifyClient Optional, both within the
same Location directive. I've combined these because there is a likelihood
that the resource will be accessed by clients without certificates, and I'm
trying to trap this in as friendly a way as possible.

Everything works fine in my testing [good cert, no cert, wrong cert], except
when I try to hit the server with an expired client certificate in IE. Because
of some testing constraints around where I get the certificates from I've been
simulating expiry by adjusting the time on both the desktop and server - just
the client cert is expired at the chosen time; not the issuing CA cert or web
server's.

With an expired client certificate, my ErrorDocument 403 is correctly
displayed if the 'show friendly messages' is unchecked, but the browser shows
a 'page cannot be displayed' error if the setting is enabled. I can't see
anything in the logs to distinguish the two states. A reload on the browser
correctly renders the error.

Is this something that anyone else has come across? I've checked the archives,
and although people have cited problems with friendly errors
[http://marc.info/?l=apache-modssl&m=...001204754&w=2] the circumstances
seem different.

Is there a saner way of handling the access attempts from browsers attempting
to access the same resource both with and without client certs?

Version info:
- desktop: XP SP2, IE version 6.0.29...
- server: Suse Linux 10.1; Apache 1.3.37; mod_ssl 2.8.28-1.3.33; openssl
0.9.8e

I have the SetEnvIf HTTP_USER_AGENT ".*MSIE.*" ... enabled as per default
config. SSLCACertificateFile has a single entry for the issuing CA.

Thanks,

Donal




__________________________________________________ ____________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org