You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2005/05/26 10:09:52 UTC
DO NOT REPLY [Bug 35083] New: -
Certificate validation problems trapping
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=35083>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=35083
Summary: Certificate validation problems trapping
Product: Apache httpd-2.0
Version: 2.0.54
Platform: All
OS/Version: All
Status: NEW
Severity: enhancement
Priority: P3
Component: mod_ssl
AssignedTo: bugs@httpd.apache.org
ReportedBy: mstern@csc.com
In case a SSL connection fails because a certificate is expired, or a CRL is
unavailable, etc., the browser receives a SSL error that results in a cryptic
technical error displayed to the user - sometimes only an error number like in
Firefox. In such a situation, the SSL connection could be established, and an
additional module could trap the exact SSL error and redirect to a page with the
specific error message ("Your certificate is expired", "We cannot check the
validity of the certificate - retry later", etc.).
I developed such a module, that I'll submit today: mod_ssl_error
In order to let the module trap the code, we need, when the module is loaded, to
accept to establish the connection in case of a certificate validation error:
In ssl_io_filter_connect( ) - ssl_engine_io.c - we have 2 cases (at line 1147
and 1173) where the connection may break because of certificates
verification/validation problem: ' return ssl_filter_io_shutdown(filter_ctx, c,
1); '
I would return only if the error trapping module (mod_ssl_error) is not loaded.
If it is loaded, I would accept the certificate (continue the treatment and
return DECLINED), as the error will be trapped later.
So, replace
return ssl_filter_io_shutdown(filter_ctx, c, 1);
by
if ( ! is_ssl_error_loaded ) return ssl_filter_io_shutdown(filter_ctx, c, 1);
In order to check if the module is loaded, I need a few lines at the beginning
of the function - unless a function exists to check if a module is loaded ?
Currently I coded it in the function:
BOOL is_ssl_error_loaded = FALSE;
{ /* Check if mod_ssl_error is loaded */
extern AP_DECLARE_DATA module *ap_top_module;
module *modp;
for ( modp = ap_top_module; modp; modp = modp->next )
if ( strcmp(modp->name, "mod_ssl_error.c") == 0 ) {
is_ssl_error_loaded = TRUE;
break;
}
}
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org