You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2005/05/26 10:09:52 UTC

DO NOT REPLY [Bug 35083] New: - Certificate validation problems trapping

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=35083>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=35083

           Summary: Certificate validation problems trapping
           Product: Apache httpd-2.0
           Version: 2.0.54
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: enhancement
          Priority: P3
         Component: mod_ssl
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: mstern@csc.com


In case a SSL connection fails because a certificate is expired, or a CRL is
unavailable, etc., the browser receives a SSL error that results in a cryptic
technical error displayed to the user - sometimes only an error number like in
Firefox. In such a situation, the SSL connection could be established, and an
additional module could trap the exact SSL error and redirect to a page with the
specific error message ("Your certificate is expired", "We cannot check the
validity of the certificate - retry later", etc.).

I developed such a module, that I'll submit today: mod_ssl_error

In order to let the module trap the code, we need, when the module is loaded, to
accept to establish the connection in case of a certificate validation error:

In ssl_io_filter_connect( ) - ssl_engine_io.c - we have 2 cases (at line 1147
and 1173) where the connection may break because of certificates
verification/validation problem:  ' return ssl_filter_io_shutdown(filter_ctx, c,
1); '

I would return only if the error trapping module (mod_ssl_error) is not loaded.
If it is loaded, I would accept the certificate (continue the treatment and
return DECLINED), as the error will be trapped later.
So, replace
    return ssl_filter_io_shutdown(filter_ctx, c, 1); 
by
     if ( ! is_ssl_error_loaded ) return ssl_filter_io_shutdown(filter_ctx, c, 1); 

In order to check if the module is loaded, I need a few lines at the beginning
of the function - unless a function exists to check if a module is loaded ?
Currently I coded it in the function:
    BOOL is_ssl_error_loaded = FALSE;
    { /* Check if mod_ssl_error is loaded */
        extern AP_DECLARE_DATA module *ap_top_module;
        module *modp;
        for ( modp = ap_top_module; modp; modp = modp->next )
            if ( strcmp(modp->name, "mod_ssl_error.c") == 0 ) {
                is_ssl_error_loaded = TRUE;
                break;
            }
    }

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org