Re: Custom error page for invalid mutual authentication (TLS)

Tue, 11 Feb 2025 04:46:58 -0800 

Sebastian,

On 2/7/25 4:37 PM, Sebastian Trost wrote:
if updating your application is out of the question, I'm guessing that there is no way to achieve this. 


If updating your application is an option, you can set the clientAuth 
attribute of your connector to 'want' instead of 'true' and then try to 
detect within your app, if the client provided a valid certificate and 
redirect them to an error page if that is not the case.


Source: https://stackoverflow.com/a/46488689/1180010


+1


If the TLS handshake fails (because the certs are unacceptable to one 
party or the other), then there is no HTTP connection available to send 
a custom error page. It's entirely up to the application on the client 
end to describe the failure to the user.



If, instead, you relax the handshake requirements (clientAuth=want) then 
you have the opportunity to complete the handshake but then refuse the 
user via HTTP. It's a lot more work, but it's definitely possible.


-chris


On 06.02.2025 18:59, Peter Rader wrote:

Hi,


I have a website that use mutual authentication for over 100 persons very
successfull since years.

Sometimes a client-certificate in the truststore of the server must be
deactivated, maybe the person died or his/her device got pinched.

As soon as the user access the website using a browser who has the client

certificate installed in the certificate-store of the browser, the 
website is
unavailable. Fair enougth! A generic website is displayed in the 
browser. For
firefox the message "SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT" appears. 
Thats fair

and good.

However, is there a way to have a custom website instead of the browser's
built-in error-page?


Kind regards

Peter Rader
--
Fachinformatiker AE / IT Software Developer
Peter Rader
Wilsnacker Strasse 17
10559 Berlin - GERMANY
Tel: 0049 (0)30 / 6 29 33 29 6
Fax: 0049 (0)30 / 6 29 33 29 6
Handy: 0049 (0)176 / 87 521 576
Handy: 0049 (0)176 / 47 876 303

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to