On 2009-10-04 13:37 PDT, Eddy Nigg wrote: > On 10/04/2009 09:23 PM, Nelson B Bolyard: >> On 2009-10-03 15:52 PDT, Jereme Bulzor wrote: >> >>> I've enabled client authentication in Sun One Web Server 6.1 and it does >>> work fine when the client certificate is valid. >>> I would like to present the user with a good error message instead of the >>> generic one when his certificate is not valid. >>> In this case, the user has currently no clue of what happened, whether >>> his certificate has expired, is revoked, is false (bad signature), was >>> provided by a not trusted certificate authority, and so on. >>> This is very frustrating for non tec users as they don't know what to do. >>> Is there a trick to display client certificate authentication failure >>> causes to the user in Sun One Web Server 6.1 ? >>> >> On 2009-10-03 22:45 PDT, Meena Vyas wrote: >> >>>> Please ask Sun Web Server related questions in forum >>>> http://forums.sun.com/forum.jspa?forumID=759 >>>> >> On 2009-10-04 11:43 PDT, Eddy Nigg wrote: >> >>> This is a Firefox issue, not a server-side problem. >>> >> Eddy, Please re-read the original request above. >> It does not mention any particular browser. It does mention a particular >> server, namely, Sun Web Server, which uses NSS. The request is quite >> specific. It's how to change the content of the error page returned by >> the server when it receives a certificate that is not valid, so as to >> point out what is wrong with the certificate. NSS provides that detailed >> info to the web server, but the server does not pass it on to the client. >> Jereme wishes to change that. >> > > Nelson, there is no server-side error page ever displayed in case the > browser has no client certificate matching one from the list of accepted > issuers.
That's not true. It's likely true for some servers, but not for SWS. And, in any case, the case where the browser has no cert to send is not one of the cases described by the original poster. > All Firefox does it shows the error page with > *ssl_error_handshake_failure_alert*, That's IF and ONLY IF the server causes the handshake to fail. But there are servers that can complete the handshake succesfully, and send back a web page with an error message. Sun's web server is quite capable of that. > on other browsers it's very similar, like Explorer simple claims "Page > not found". This is a shortcoming of the browsers, not server. Reporting "Page not found" when the actual error known to the browser is something much more precise is indeed a browser shortcoming. There are people in the Firefox community who think that that model, saying "it didn't work" and offering no better clues, is a good model and think that Firefox should be doing more of that and offering less detail than it now offers. I think if IE started giving electric shocks to its users, some Mozilla people would say Firefox should do that too. > The mentioning of the Sun Server above is purely a coincident and is > pretty irrelevant regarding the user experience when confronted with it. The original poster administers a server that is capable of doing error reporting that is much better than the average server, but could even be better still. He wants to know how to make it even better. But that's outside of the scope of this list, I think. > I wish I could control that on the server side, unfortunately this is > not the case. Eddy, Maybe you should try a different server product. There are server products out there that NEVER send back failure alerts due to any kind of authentication failure, but instead always send back https web pages containing error messages. IINM, Sun's web server is open source now, too. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
