You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Will Nordmeyer <qu...@gmail.com> on 2012/12/21 13:35:26 UTC
Reporting a revoked certificate
At long last, I have tomcat configured, I have revoked certificates to
test with... my question today...
When I try using a revoked certificate, I get the lovely and
meaningful "page cannot be displayed." So it is properly denying
access - but it doesn't provide appear to provide any other feedback
to the browser.
Is that correct, or is it configurable so it could report -
certificate revoked, or certificate invalid or something?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Reporting a revoked certificate
Posted by Will Nordmeyer <qu...@gmail.com>.
On Fri, Dec 21, 2012 at 10:30 AM, Daniel Mikusa <dm...@vmware.com> wrote:
> On Dec 21, 2012, at 9:28 AM, Will Nordmeyer wrote:
>
>> On Fri, Dec 21, 2012 at 8:35 AM, Daniel Mikusa <dm...@vmware.com> wrote:
>>> On Dec 21, 2012, at 7:35 AM, Will Nordmeyer wrote:
>>>
>>>> At long last, I have tomcat configured, I have revoked certificates to
>>>> test with…
>>>
>>> Nice!
>>>
>>>> my question today...
>>>>
>>>> When I try using a revoked certificate, I get the lovely and
>>>> meaningful "page cannot be displayed."
>>>
>>> What browser are you using? This sounds like the generic IE message.
>>>
>>>> So it is properly denying
>>>> access - but it doesn't provide appear to provide any other feedback
>>>> to the browser.
>>>
>>> Tomcat should be returning some HTTP error code like 400 Bad request, 401 Unauthorized or 403 Forbidden. If your browser is masking it, you can see exactly what is returned by looking at the access log. You can then override that code and provide a custom error page (like Twitter's Fail Whale). See the <error-page> tag in web.xml for more details.
>>>
>>> One note about this. If you are using IE, your custom error page has to be over a certain size or IE will still continue to display it's generic messages. I believe it's 512 bytes.
>>>
>>> Dan
>>>
>> Thanks Dan - which access log should I look at? all of the tomcat
>> logs don't show anything. I've got it configured with APR & TCNATIVE
>
> Mark and Cédric are right.
>
> Ignore my post, sorry about sending you down the wrong path.
>
> Dan
>
OK - I thought my answer was no luck since I didn't see anything in my
googling before running to you all. But thought I'd ask just in case.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Reporting a revoked certificate
Posted by Daniel Mikusa <dm...@vmware.com>.
On Dec 21, 2012, at 9:28 AM, Will Nordmeyer wrote:
> On Fri, Dec 21, 2012 at 8:35 AM, Daniel Mikusa <dm...@vmware.com> wrote:
>> On Dec 21, 2012, at 7:35 AM, Will Nordmeyer wrote:
>>
>>> At long last, I have tomcat configured, I have revoked certificates to
>>> test with…
>>
>> Nice!
>>
>>> my question today...
>>>
>>> When I try using a revoked certificate, I get the lovely and
>>> meaningful "page cannot be displayed."
>>
>> What browser are you using? This sounds like the generic IE message.
>>
>>> So it is properly denying
>>> access - but it doesn't provide appear to provide any other feedback
>>> to the browser.
>>
>> Tomcat should be returning some HTTP error code like 400 Bad request, 401 Unauthorized or 403 Forbidden. If your browser is masking it, you can see exactly what is returned by looking at the access log. You can then override that code and provide a custom error page (like Twitter's Fail Whale). See the <error-page> tag in web.xml for more details.
>>
>> One note about this. If you are using IE, your custom error page has to be over a certain size or IE will still continue to display it's generic messages. I believe it's 512 bytes.
>>
>> Dan
>>
> Thanks Dan - which access log should I look at? all of the tomcat
> logs don't show anything. I've got it configured with APR & TCNATIVE
Mark and Cédric are right.
Ignore my post, sorry about sending you down the wrong path.
Dan
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Reporting a revoked certificate
Posted by Mark Thomas <ma...@apache.org>.
On 21/12/2012 14:51, Martin Gainty wrote:
>
> things to check
Don't bother. This is yet more irrelevant nonsense from Martin.
Mark
>
> 1)are you implementing mod_ssl or any ssl modules in apache
> 2)if not mod_ssl are you implementing ssl in Tomcat bio-connector
>
> 3)if not mod_ssl are you implementing ssl in Tomcat nio-connector
>
> http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support
> Martin______________________________________________
> ..place long-winded disclaimer here..
> > Date: Fri, 21 Dec 2012 15:36:43 +0100
>> Subject: Re: Reporting a revoked certificate
>> From: cedric.couralet@gmail.com
>> To: users@tomcat.apache.org
>>
>>>
>>> Hello,
>>>
>>> I'm not sure you could get an error page. The ssl dialog takes place
>>> before any http communication. So I don't think tomcat can send an
>>> http response if the certificate is revoked.
>>>
>>> You could use openssl s_client to try and connect to your server to
>>> see what is returned from Tomcat exactly.
>>
>> And as a quick test, you could try with Firefox. I've found it gives
>> almost meaningful error dialog when dealing with ssl.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Reporting a revoked certificate
Posted by Martin Gainty <mg...@hotmail.com>.
things to check
1)are you implementing mod_ssl or any ssl modules in apache
2)if not mod_ssl are you implementing ssl in Tomcat bio-connector
3)if not mod_ssl are you implementing ssl in Tomcat nio-connector
http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support
Martin______________________________________________
..place long-winded disclaimer here..
> Date: Fri, 21 Dec 2012 15:36:43 +0100
> Subject: Re: Reporting a revoked certificate
> From: cedric.couralet@gmail.com
> To: users@tomcat.apache.org
>
> >
> > Hello,
> >
> > I'm not sure you could get an error page. The ssl dialog takes place
> > before any http communication. So I don't think tomcat can send an
> > http response if the certificate is revoked.
> >
> > You could use openssl s_client to try and connect to your server to
> > see what is returned from Tomcat exactly.
>
> And as a quick test, you could try with Firefox. I've found it gives
> almost meaningful error dialog when dealing with ssl.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
Re: Reporting a revoked certificate
Posted by Cédric Couralet <ce...@gmail.com>.
>
> Hello,
>
> I'm not sure you could get an error page. The ssl dialog takes place
> before any http communication. So I don't think tomcat can send an
> http response if the certificate is revoked.
>
> You could use openssl s_client to try and connect to your server to
> see what is returned from Tomcat exactly.
And as a quick test, you could try with Firefox. I've found it gives
almost meaningful error dialog when dealing with ssl.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Reporting a revoked certificate
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cédric,
On 12/21/12 9:34 AM, Cédric Couralet wrote:
>>>
>> Thanks Dan - which access log should I look at? all of the
>> tomcat logs don't show anything. I've got it configured with APR
>> & TCNATIVE
>>
>
> Hello,
>
> I'm not sure you could get an error page. The ssl dialog takes
> place before any http communication. So I don't think tomcat can
> send an http response if the certificate is revoked.
+1
I don't think you have any control over the page that gets displayed
in this event: Tomcat does not even get involved. Either OpenSSL or
JSSE will simply refuse the handshake and the (software) client has to
report something to the user. Sounds like MSIE does it's usual
worthless error reporting.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEAREIAAYFAlDUhy8ACgkQ9CaO5/Lv0PCXmACfVkGB3b+/yXndeehTg6Hl1GCP
C2EAoLbMxP3hv5icouotV46p64nhmbcl
=Mvyi
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Reporting a revoked certificate
Posted by Cédric Couralet <ce...@gmail.com>.
>>
> Thanks Dan - which access log should I look at? all of the tomcat
> logs don't show anything. I've got it configured with APR & TCNATIVE
>
Hello,
I'm not sure you could get an error page. The ssl dialog takes place
before any http communication. So I don't think tomcat can send an
http response if the certificate is revoked.
You could use openssl s_client to try and connect to your server to
see what is returned from Tomcat exactly.
Cédric
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Reporting a revoked certificate
Posted by Will Nordmeyer <qu...@gmail.com>.
On Fri, Dec 21, 2012 at 8:35 AM, Daniel Mikusa <dm...@vmware.com> wrote:
> On Dec 21, 2012, at 7:35 AM, Will Nordmeyer wrote:
>
>> At long last, I have tomcat configured, I have revoked certificates to
>> test with…
>
> Nice!
>
>> my question today...
>>
>> When I try using a revoked certificate, I get the lovely and
>> meaningful "page cannot be displayed."
>
> What browser are you using? This sounds like the generic IE message.
>
>> So it is properly denying
>> access - but it doesn't provide appear to provide any other feedback
>> to the browser.
>
> Tomcat should be returning some HTTP error code like 400 Bad request, 401 Unauthorized or 403 Forbidden. If your browser is masking it, you can see exactly what is returned by looking at the access log. You can then override that code and provide a custom error page (like Twitter's Fail Whale). See the <error-page> tag in web.xml for more details.
>
> One note about this. If you are using IE, your custom error page has to be over a certain size or IE will still continue to display it's generic messages. I believe it's 512 bytes.
>
> Dan
>
Thanks Dan - which access log should I look at? all of the tomcat
logs don't show anything. I've got it configured with APR & TCNATIVE
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Reporting a revoked certificate
Posted by Mark Thomas <ma...@apache.org>.
On 21/12/2012 13:35, Daniel Mikusa wrote:
> On Dec 21, 2012, at 7:35 AM, Will Nordmeyer wrote:
>
>> At long last, I have tomcat configured, I have revoked certificates
>> to test with…
>
> Nice!
>
>> my question today...
>>
>> When I try using a revoked certificate, I get the lovely and
>> meaningful "page cannot be displayed."
>
> What browser are you using? This sounds like the generic IE
> message.
>
>> So it is properly denying access - but it doesn't provide appear to
>> provide any other feedback to the browser.
>
> Tomcat should be returning some HTTP error code
Nope.
If the SSL session is not established (and if the client cert isn't
valid there will not be an SSL session), there is no HTTP request for
Tomcat to respond to.
You'll get whatever (un)helpful message the browser decides to display.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Reporting a revoked certificate
Posted by Daniel Mikusa <dm...@vmware.com>.
On Dec 21, 2012, at 7:35 AM, Will Nordmeyer wrote:
> At long last, I have tomcat configured, I have revoked certificates to
> test with…
Nice!
> my question today...
>
> When I try using a revoked certificate, I get the lovely and
> meaningful "page cannot be displayed."
What browser are you using? This sounds like the generic IE message.
> So it is properly denying
> access - but it doesn't provide appear to provide any other feedback
> to the browser.
Tomcat should be returning some HTTP error code like 400 Bad request, 401 Unauthorized or 403 Forbidden. If your browser is masking it, you can see exactly what is returned by looking at the access log. You can then override that code and provide a custom error page (like Twitter's Fail Whale). See the <error-page> tag in web.xml for more details.
One note about this. If you are using IE, your custom error page has to be over a certain size or IE will still continue to display it's generic messages. I believe it's 512 bytes.
Dan
>
> Is that correct, or is it configurable so it could report -
> certificate revoked, or certificate invalid or something?
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org