Ssl – Redirect user on SSL authentication failure

apache-2.2authenticationssl

I configured a VirtualHost with SSL enabled and SSL client authentication, all of that on apache2 2.2.8 (ubuntu server 8.04).

All SSL certificates (CA, Server certificate, Client certificate, CRL) were generated with openssl command line.

I want to redirect the user to a custom error page if the client certificate isn't valid (not present, expired, or revoked).

Here is the configuration of my virtual host :

<VirtualHost *:443>
    ServerName myserv.example.com
    DocumentRoot /var/www/myserv/

    CustomLog /var/log/apache2/myserv.access.log combined
    ErrorLog /var/log/apache2/myserv.error.log
    LogLevel warn

    SSLEngine on
    SSLOptions +StdEnvVars +ExportCertData

    SSLCertificateFile "/etc/apache2/ssl/certs/servcrt.pem"
    SSLCertificateKeyFile "/etc/apache2/ssl/private/servkey.pem"

    SSLCACertificateFile "/etc/apache2/ssl/certs/ca.pem"

    SSLCARevocationPath "/etc/apache2/ssl/crl/"
    SSLCARevocationFile "/etc/apache2/ssl/crl/crl.pem"

    <Directory /var/www/myserv/>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Order allow,deny
        Allow from all

        SSLVerifyClient optional
        SSLVerifyDepth 1

        RewriteEngine on
        RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
        RewriteRule .* /error-page.html [L]
    </Directory>
</VirtualHost>

With that configuration, if the user doesn't have any SSL certificate, he's correctly redirected to the error page. But if he has a revoked or expired certificate, the handshake fails (normal) and the connection is closed (returning an SSL error on the browser).

How can I tell apache2 to redirect the user to the correct page instead of closing the connection on SSL handshake failure ?

Best Answer

It is a common misconception that a web server can "do something" instead of displaying most (maybe all) SSL errors in the browser.

This is because the SSL handshake occurs first and completely independently of any HTTP communication. Though we treat it as one, HTTPS is not really a different protocol to HTTP, it is "HTTP over and encrypted channel between your browser and the server".

If the client presents an invalid certificate the SSL handshake fails, you get an error. At this point no HTTP communication has occurred and thus no opportunity to redirect the user exists.

Related Topic