6

I configured a VirtualHost with SSL enabled and SSL client authentication, all of that on apache2 2.2.8 (ubuntu server 8.04).

All SSL certificates (CA, Server certificate, Client certificate, CRL) were generated with openssl command line.

I want to redirect the user to a custom error page if the client certificate isn't valid (not present, expired, or revoked).

Here is the configuration of my virtual host :

<VirtualHost *:443>
    ServerName myserv.example.com
    DocumentRoot /var/www/myserv/

    CustomLog /var/log/apache2/myserv.access.log combined
    ErrorLog /var/log/apache2/myserv.error.log
    LogLevel warn

    SSLEngine on
    SSLOptions +StdEnvVars +ExportCertData

    SSLCertificateFile "/etc/apache2/ssl/certs/servcrt.pem"
    SSLCertificateKeyFile "/etc/apache2/ssl/private/servkey.pem"

    SSLCACertificateFile "/etc/apache2/ssl/certs/ca.pem"

    SSLCARevocationPath "/etc/apache2/ssl/crl/"
    SSLCARevocationFile "/etc/apache2/ssl/crl/crl.pem"

    <Directory /var/www/myserv/>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Order allow,deny
        Allow from all

        SSLVerifyClient optional
        SSLVerifyDepth 1

        RewriteEngine on
        RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
        RewriteRule .* /error-page.html [L]
    </Directory>
</VirtualHost>

With that configuration, if the user doesn't have any SSL certificate, he's correctly redirected to the error page. But if he has a revoked or expired certificate, the handshake fails (normal) and the connection is closed (returning an SSL error on the browser).

How can I tell apache2 to redirect the user to the correct page instead of closing the connection on SSL handshake failure ?

linkdd
  • 183
  • 2
  • 5
  • 2 years later, I got the exact same problem and I can't figure it out. I wonder if you ever had a solution. – smozgur Apr 24 '15 at 19:02
  • I think the browser can also act on the fact, that the certificate it presented was rejected. It may happen, that it's your browser who closes the connection. Can you check, which node sends the RST+ACK packet? – asdmin Jul 04 '16 at 08:40

2 Answers2

1

It is a common misconception that a web server can "do something" instead of displaying most (maybe all) SSL errors in the browser.

This is because the SSL handshake occurs first and completely independently of any HTTP communication. Though we treat it as one, HTTPS is not really a different protocol to HTTP, it is "HTTP over and encrypted channel between your browser and the server".

If the client presents an invalid certificate the SSL handshake fails, you get an error. At this point no HTTP communication has occurred and thus no opportunity to redirect the user exists.

Unbeliever
  • 2,336
  • 1
  • 10
  • 19
0

Another option to try: SSLVerifyClient optional_no_ca and check if SSL_CLIENT_VERIFY still says SUCCESS for valid certs.

Otherwise when testing with a valid but untrusted CA cert SSL_CLIENT_VERIFY says GENEROUS so that could utilize the redirect.

Might also be like others said that the web browser detected the client cert is expired and aborted the handshake anyways.. needs more testing to confirm browser behavior.

If the client cert signing CAs can also be different for some reason you'll want to look into SSLCADNRequestFile directive to specify the CAs, or if any CA then probably a file with a single empty line.

Otherwise httpd automatically tells the client which CAs are allowed based on what it's verified against and the web browser could just abort the handshake because it couldn't find any applicable client certs.

Rob Olmos
  • 2,240
  • 1
  • 15
  • 26