Sebastian,

On 2/7/25 4:37 PM, Sebastian Trost wrote:
if updating your application is out of the question, I'm guessing that there is no way to achieve this.

If updating your application is an option, you can set the clientAuth attribute of your connector to 'want' instead of 'true' and then try to detect within your app, if the client provided a valid certificate and redirect them to an error page if that is not the case.

Source: https://stackoverflow.com/a/46488689/1180010

+1

If the TLS handshake fails (because the certs are unacceptable to one party or the other), then there is no HTTP connection available to send a custom error page. It's entirely up to the application on the client end to describe the failure to the user.

If, instead, you relax the handshake requirements (clientAuth=want) then you have the opportunity to complete the handshake but then refuse the user via HTTP. It's a lot more work, but it's definitely possible.

-chris

On 06.02.2025 18:59, Peter Rader wrote:
Hi,


I have a website that use mutual authentication for over 100 persons very
successfull since years.

Sometimes a client-certificate in the truststore of the server must be
deactivated, maybe the person died or his/her device got pinched.

As soon as the user access the website using a browser who has the client
certificate installed in the certificate-store of the browser, the website is unavailable. Fair enougth! A generic website is displayed in the browser. For firefox the message "SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT" appears. Thats fair
and good.

However, is there a way to have a custom website instead of the browser's
built-in error-page?


Kind regards

Peter Rader
--
Fachinformatiker AE / IT Software Developer
Peter Rader
Wilsnacker Strasse 17
10559 Berlin - GERMANY
Tel: 0049 (0)30 / 6 29 33 29 6
Fax: 0049 (0)30 / 6 29 33 29 6
Handy: 0049 (0)176 / 87 521 576
Handy: 0049 (0)176 / 47 876 303

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to