On 10/04/2009 09:23 PM, Nelson B Bolyard:
On 2009-10-03 15:52 PDT, Jereme Bulzor wrote:
I've enabled client authentication in Sun One Web Server 6.1 and it does
work fine when the client certificate is valid.
I would like to present the user with a good error message instead of the
generic one when his certificate is not valid.
In this case, the user has currently no clue of what happened, whether
his certificate has expired, is revoked, is false (bad signature), was
provided by a not trusted certificate authority, and so on.
This is very frustrating for non tec users as they don't know what to do.
Is there a trick to display client certificate authentication failure
causes to the user in Sun One Web Server 6.1 ?
On 2009-10-03 22:45 PDT, Meena Vyas wrote:
Please ask Sun Web Server related questions in forum
http://forums.sun.com/forum.jspa?forumID=759
On 2009-10-04 11:43 PDT, Eddy Nigg wrote:
This is a Firefox issue, not a server-side problem.
Eddy, Please re-read the original request above.
It does not mention any particular browser. It does mention a particular
server, namely, Sun Web Server, which uses NSS. The request is quite
specific. It's how to change the content of the error page returned by
the server when it receives a certificate that is not valid, so as to
point out what is wrong with the certificate. NSS provides that detailed
info to the web server, but the server does not pass it on to the client.
Jereme wishes to change that.
Nelson, there is no server-side error page ever displayed in case the
browser has no client certificate matching one from the list of accepted
issuers. All Firefox does it shows the error page with
*ssl_error_handshake_failure_alert*, on other browsers it's very
similar, like Explorer simple claims "Page not found". This is a
shortcoming of the browsers, not server. The mentioning of the Sun
Server above is purely a coincident and is pretty irrelevant regarding
the user experience when confronted with it.
I wish I could control that on the server side, unfortunately this is
not the case. For example see https://www.startssl.com/?app=25#10 and
the item thereafter which can give you feeling about which struggles we
have there with client certificate authentication and the wonderful
handling at browsers.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
XMPP: start...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
