CAcert System Admins discussion list

[Wytze van der Raay <wytze AT deboca.net>]

Hi Daniel,

Daniel Black schreef:
> On Wednesday 15 April 2009 18:50:59 Daniel Black wrote:
>> I've seen a few (there's probably lots), of people asking for support with
>> https://cats.cacert.org and https://secure.cacert.org when they don't have
>> a client side certificate. Rather that rely on the client side error
>> message 'ssl_error_handshake_failure_alert' (firefox), is there a neat way
>> to configure apache to display a more helpful error page?
>>
>> I image this would require a 'SSLVerifyClient optional'
> ...
> ...
> 
> I've tested it properly. The following directives are needed after enabling 
> mod_rewrite.
> 
> RewriteEngine        on
> RewriteCond   %{SSL:SSL_CLIENT_VERIFY} !=SUCCESS
> RewriteRule   .? - [F]
> ErrorDocument 403 "You need a client side certificate to access this site"
> 
> Then change 'SSLVerifyClient" to "optional'
> 
> I suggest this be used for https://cats.cacert.org and ;
> https://secure.cacert.org.
> 
> Test here if you want https://community.cacert.org/test/

It seems to work just fine there, but the same trick applied to
https://secure.cacert.org/ just failed miserably.
Sure enough, the 403 error message came out, but it did also when
performing a certificate login from http://www.cacert.org/.
That's less than helpful I am afraid.
I do not quite understand why this happens, it requires further
testing in a non-critical environment.

-- wytze