DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=41337>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41337 ------- Additional Comments From [EMAIL PROTECTED] 2007-01-30 08:08 ------- Hi, The only way to present a useful error page is to establish a socket. JSSE won't let the socket happen if there's a problem with a client cert. In my mind the only way to provide a useful error page would be to for Tomcat to only ever use "setWantClientAuth" (which isn't even available pre Java 1.4 !), and to draw an HTML error page for all requests if "need=true" is set in Tomcat's own config. It's nicer to just leave all this stuff up to JSSE and not worry about it. By circumventing JSSE's "no socket for you" security, Tomcat risks making itself insecure, even though a helpful error page would be *really* handy! Workaround: set your own SSL config in Tomcat to "WANT" instead of "NEED" (in server.xml) and setup your own ServletFilter on "/*" that draws a nice error page if no client cert is provided. <Connector port="8443" minProcessors="5" maxProcessors="75" enableLookups="true" disableUploadTimeout="true" acceptCount="100" debug="0" scheme="https" secure="true"; sslProtocol="TLS" clientAuth="want" /> -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
