Christian Nolte wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi!
>
> I have set up certificate based authentication using
>
> SSLVerifyClient require
>
> in my httpd.conf. Everything works fine but if a client does not have a
> valid certificate Firefox gives an obscure error message:
>
> "www.example.com has received an incorrect or unexpected message. Error
> Code: -12227"
>
> Is there a way to give the client a normal error page, like e.g. for 404
> errors?
>
> Best regards!
> Christian
>
> - --
> For more than 4 generations the IT Professionals were the guardians
> of quality and stability in software. Before the dark times.
> Before Microsoft...
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iD8DBQFHfLeiCNjA0nfhW7wRAgUMAKDHF5oLVSLa7YkSoDt7bY mRvFOAtwCgzgwS
> 7C8W5RdIMDHAeA3PYIJOBPk=
> =XlfO
> -----END PGP SIGNATURE-----
> __________________________________________________ ____________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org



II. Tricks
1. Redirect all HTTP requests to HTTPS
a. Load mod_rewrite (see:
http://httpd.apache.org/docs/1.3/mod/mod_rewrite.html )
b. Add the following rule to your non-HTTPS server configuration
(httpd.conf):
# Require HTTPS
RewriteEngine on
RewriteRule ^/(.*) https://${SERVER_NAME}/$1 [redirect=permanent]

2. Redirect all requests that fail to authenticate to an error page
a. Load mod_rewrite (see:
http://httpd.apache.org/docs/1.3/mod/mod_rewrite.html )
b. Add the following rule to your HTTPS server configuration
(mod_ssl.conf):
i. Apache 1.3.x: (NOTE: Internet Explorer does not work
correctly with Apache 1.3.x and mod_ssl when SSLVerifyClient
is set to anything except "none")
# Redirect client-verification-failures to a specific
# page.
RewriteEngine on
RewriteCond %{SSL_CLIENT_VERIFY} !^SUCCESS$
RewriteRule . /error-pages/pki/pki-invalid.html [last]
i. Apache 2.2.x:
# Redirect client-verification-failures to a specific
# page.
RewriteEngine on
RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
RewriteRule . /error-pages/pki/pki-invalid.html [last]
c. Change "SSLVerifyClient" to "optional" (NOTE: Internet Explorer
does not work correctly with Apache 1.3.x and mod_ssl when
SSLVerifyClient is set to anything except "none")
SSLVerifyClient optional

--
Roy Keene (Contractor)
Office of Network Management (Code 7030.8)
Naval Research Laboratory
Stennis Space Center, MS 39529
DSN 828-4827

__________________________________________________ ____________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org