Error messages + Apache configuration possibilities

We talked already about this topic at the teleconf on monday. I've
create a small summary:

No matter what went wrong durring the authentification process the users
should get an understandable error message and if it's possible, the
message already contains a solution for the problem. The https protocol
allows us to forward errors to the user on to levels: ssl/tls and http.
We (the endpoint developers) have complete control over the http error
pages, but depend on the browser vendors how errors on the ssl level are
shown to the user. The idea was now to ignore most ssl errors and handle
them on the http level, at least test endpoints could handle errors in
this way.

Opinions from the ssl experts?


Most of the current WebID endpoint implementations depend on the Apache
https implementation. The SSLVerifyClient option allows us to disable
the CA verification, but other things like the date verification or the
handling of the critical extensions can't be configured after compilation.

Should we ask the Apache people if they can make more things configurable?


Perhaps the best approach would be improving the handling of the
certificate selection and the ssl error message shown by the browser.
I've done some tests with expired certificates on my windows machine
with Firefox, Chrome, Opera and IE9:

Chrome and IE9:
Both don't even offer expired certificates in selection dialog (looks
like both use the default SSPI dialog). As I couldn't select the expired
cert I didn't check how error messages are displayed.

Firefox:
Firefox marks certificates as expired in the selection dialog but they
can be selected and also shows some details about refused ssl
connections. But could be even more user-friendly.

Opera:
Opera allows selection of expired certificates and but doesn't mark them
as expired (only the details page shows the begin and end date). The
error message just informs that the server was not reachable.


The wikipedia article about the the tls alert protocol:
http://en.wikipedia.org/wiki/Transport_Layer_Security#Alert_protocol

Apache documentation to the SSLVerifyClient option:
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslverifyclient

The WebID test vocabulary. The pure certificate tests are interesting:
https://dvcs.w3.org/hg/WebID/file/55f18239ed1a/tests/earl/test.n3

Henrys tls tests:
https://github.com/bblfish/TLS_test

Received on Tuesday, 28 June 2011 22:57:32 UTC