PSM:CertPrompt: Difference between revisions

Jump to navigation Jump to search

PSM:CertPrompt (view source)

Revision as of 22:52, 7 September 2007

1 byte removed ,  7 September 2007
→‎Additional complications
Line 73: Line 73:
== Additional complications ==
== Additional complications ==


The interaction between clients and servers with failed SSL connections is currently poor in both IE and pre-Firefox 1.5 (Firefox 1.5 needs additional testing here). In addition is very difficult to set up any SSL server such that it does not create failes SSL connections when doing client auth.
The interaction between clients and servers with failed SSL connections is currently poor in both IE and pre-Firefox 1.5 (Firefox 1.5 needs additional testing here). In addition is very difficult to set up any SSL server such that it does not create failed SSL connections when doing client auth.


When the SSL connection fails, there is no communication channel between the client and the server. Sometimes clients will get and error code, or an SSL alert, but most often they just quick loading the page, giving the user no information about the failure. Because there is no connection, the normal server methods of redirecting the user to an error page does not work.
When the SSL connection fails, there is no communication channel between the client and the server. Sometimes clients will get and error code, or an SSL alert, but most often they just quit loading the page, giving the user no information about the failure. Because there is no connection, the normal server methods of redirecting the user to an error page does not work.


The SSL connection can fail in the client authentication case for the following reasons:
The SSL connection can fail in the client authentication case for the following reasons:
* The client sent to certificate in the case where SSL issued a 'Require client auth' connection.
* The client sent to certificate in the case where SSL issued a 'Require client auth' connection.
* The client sent a certificate that the server things is expired (either because the certificate is expired, or the servers clock is set incorrectly).
* The client sent a certificate that the server thinks is expired (either because the certificate is expired, or the servers clock is set incorrectly).
* The client sent a certificate that does not chain to any of the CA's trusted for client authentication.
* The client sent a certificate that does not chain to any of the CA's trusted for client authentication.
* The client certificate can not validate for other reasons (missing extensions, key usages, policy, signature is bad, etc).
* The client certificate can not validate for other reasons (missing extensions, key usages, policy, signature is bad, etc).
Relyea
439

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/67915"

Navigation menu