Client certificate

--retimiled-emim-mijooneldraneldeen
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C7080E.18D17F13"

This is a multi-part message in MIME format.

------_=_NextPart_001_01C7080E.18D17F13
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable

Hi ,
I am trying to implement client authentication based on client
certificates.

I want to throw up an error message to the "user/browser" in case client
certificate is invalid.

What I got was that "The page cannot be displayed" error if an
invalid(expired one) client certificate is sent and I see the following
in the logs.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D
[Tue Nov 14 16:52:53 2006] [info] [client 14.64.53.89] client stopped
connection before rflush completed
[Tue Nov 14 16:52:57 2006] [error] mod_ssl: Certificate Verification:
Error (10): certificate has expired
[Tue Nov 14 16:52:57 2006] [error] mod_ssl: Re-negotiation handshake
failed: Not accepted by client!?
[Tue Nov 14 16:52:57 2006] [error] mod_ssl: Certificate Verification:
Error (10): certificate has expired
[Tue Nov 14 16:52:57 2006] [error] mod_ssl: SSL error on writing data
(OpenSSL library error follows)
[Tue Nov 14 16:52:57 2006] [error] OpenSSL: error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certif
icate returned
[Tue Nov 14 16:52:57 2006] [info] [client 14.64.53.89] client stopped
connection before rflush completed
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D
=3D=3D=3D=3D

Ideally , I would like to be able to find that the client certificate
has expired using the "SSL_Client....." variables and be able to give
user some error message.

Is it possible?

Thanks,
Vishal

------_=_NextPart_001_01C7080E.18D17F13
Content-Type: text/html;
charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
6.5.7651.14">
<TITLE>Client certificate</TITLE>
</HEAD>
<BODY>


Hi ,

 I am trying to implement client =
authentication based on client certificates.


I want to throw up an error message to =
the "user/browser" in case client certificate is =
invalid.


What I got was that =
"The page =
cannot be displayed" error if an invalid(expired one) client =
certificate is sent and I see the following in the logs.

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

 [Tue Nov 14 16:52:53 2006] [info] [client =
14.64.53.89] client stopped connection before rflush completed

 [Tue Nov 14 16:52:57 2006] =
[error] mod_ssl: Certificate Verification: Error (10): certificate has =
expired

 [Tue Nov 14 16:52:57 2006] =
[error] mod_ssl: Re-negotiation handshake failed: Not accepted by =
client!?

 [Tue Nov 14 16:52:57 2006] =
[error] mod_ssl: Certificate Verification: Error (10): certificate has =
expired

 [Tue Nov 14 16:52:57 2006] =
[error] mod_ssl: SSL error on writing data (OpenSSL library error =
follows)

 [Tue Nov 14 16:52:57 2006] =
[error] OpenSSL: error:140890B2:SSL =
routines:SSL3_GET_CLIENT_CERTIFICATE:no certif

 icate returned

 [Tue Nov 14 16:52:57 2006] =
[info] [client 14.64.53.89] client stopped connection before rflush =
completed

 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=
=3D=3D=3D=3D


Ideally , I would like to be =
able to find that the client certificate has expired using the =
"SSL_Client….." variables and be able to give user some =
error message.

Is it possible?


Thanks,

 Vishal

 
 
 

</BODY>
</HTML>
------_=_NextPart_001_01C7080E.18D17F13--

--retimiled-emim-mijooneldraneldeen
Content-Type: text/plain; charset=us-ascii; name="disclaim.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Content-Description: Legal Disclaimer

Visit our website at http://www.ubs.com

This message contains confidential information and is intended only
for the individual named. If you are not the named addressee you
should not disseminate, distribute or copy this e-mail. Please
notify the sender immediately by e-mail if you have received this
e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free
as information could be intercepted, corrupted, lost, destroyed,
arrive late or incomplete, or contain viruses. The sender therefore
does not accept liability for any errors or omissions in the contents
of this message which arise as a result of e-mail transmission. If
verification is required please request a hard-copy version. This
message is provided for informational purposes and should not be
construed as a solicitation or offer to buy or sell any securities or
related financial instruments.

--retimiled-emim-mijooneldraneldeen--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org