On 2009-10-04 19:55 PDT, Eddy Nigg wrote: > On 10/05/2009 03:41 AM, Nelson B Bolyard: >> That's not true. It's likely true for some servers, but not for SWS. >> >> And, in any case, the case where the browser has no cert to send is not >> one of the cases described by the original poster. > > Well, there is no difference in the reporting by Firefox, being it if > certificate has expired or entirely missing. It MIGHT report revoked due > to revocation checking with OCSP, for certificates which don't support > OCSP the certificate is treated as valid.
Eddy, We're talking about the status of the client cert, not the server cert. The client doesn't do a validity check on its own cert before using it. It doesn't check to see if its own cert has been revoked. It doesn't even check to see that it has a complete cert chain. If it has an unexpired cert from any of the issuers named by the server (or from ANY issuer, if the server has named no issuers), and the cert's extensions do not obviously preclude it from being used for client auth, then the browser will send the cert. If the browser has no cert to send, it sends a "I have no cert" message. It's entirely up to the server to decide what to do then. Many servers send back an alert and drop the connection, but SWS will happily complete the handshake anyway and send back a nice error page. Unfortunately, that error page is not as detailed as it could be, and the Original poster wants to improve that. >> Eddy, Maybe you should try a different server product. There are server >> products out there that NEVER send back failure alerts due to any kind >> of authentication failure, but instead always send back https web pages >> containing error messages. >> > > Nelson you must be joking! Nope. > Firefox doesn't even ATTEMPT to authenticate > with the server in all these cases, this includes: > > Expired certificate > Revoked certificate > Bad signature > Non-existing certificate > Missing CA chain (in case the server sends only a root as accepted CA, > but the certificate is issued by an intermediate) You're talking about problems with the SERVER's certificate. But the original poster is talking about issues with the CLIENT's certificate. You're thinking about a COMPLETELY different problem than the one facing the original poster. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
