Sebastian,
On 2/7/25 4:37 PM, Sebastian Trost wrote:
if updating your application is out of the question, I'm guessing that
there is no way to achieve this.
If updating your application is an option, you can set the clientAuth
attribute of your connector to 'want' instead of 'true' and then try to
detect within your app, if the client provided a valid certificate and
redirect them to an error page if that is not the case.
Source: https://stackoverflow.com/a/46488689/1180010
+1
If the TLS handshake fails (because the certs are unacceptable to one
party or the other), then there is no HTTP connection available to send
a custom error page. It's entirely up to the application on the client
end to describe the failure to the user.
If, instead, you relax the handshake requirements (clientAuth=want) then
you have the opportunity to complete the handshake but then refuse the
user via HTTP. It's a lot more work, but it's definitely possible.
-chris
On 06.02.2025 18:59, Peter Rader wrote:
Hi,
I have a website that use mutual authentication for over 100 persons very
successfull since years.
Sometimes a client-certificate in the truststore of the server must be
deactivated, maybe the person died or his/her device got pinched.
As soon as the user access the website using a browser who has the client
certificate installed in the certificate-store of the browser, the
website is
unavailable. Fair enougth! A generic website is displayed in the
browser. For
firefox the message "SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT" appears.
Thats fair
and good.
However, is there a way to have a custom website instead of the browser's
built-in error-page?
Kind regards
Peter Rader
--
Fachinformatiker AE / IT Software Developer
Peter Rader
Wilsnacker Strasse 17
10559 Berlin - GERMANY
Tel: 0049 (0)30 / 6 29 33 29 6
Fax: 0049 (0)30 / 6 29 33 29 6
Handy: 0049 (0)176 / 87 521 576
Handy: 0049 (0)176 / 47 876 303
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org