Skip to content

Fix ssl error reporting (#2110)

Maxime Besson requested to merge fix-ssl-error-reporting-2110 into v2.0

This is my proposal for fixing #2110 (closed)

The bug was about giving better information than "Certificate required" when an error occurs during SSL (by ajax) login

Knowing the difference between "Certificate not sent by browser" and "Certificate not accepted by server" is pretty easy to do as long as SSLVerifyClient is "optional" instead of "required"

But I wanted to go in more details and be able to distinguish between "certificate not accepted by Apache/Nginx" and "login refused by lemonLDAP" (because of session rules, userdb issue, etc)

In order to do that, I had to implement a big change: moving from JSONP to JSON. This requires a bit of magic with CORS header. Since the current handling of CORS is not very satisfying, I did a bit of a hack in f98bccdd.

Because I moved the AJAX request from jsonp to json, we are now able to read its content in case of a 401 (not possible with jsonp), so we can know what the error is.

In order to correctly display the error message, I added the ability for the portal to return an HTML rendering of the error in a JSON response.

I had to add a little modification in the templates and JS to allow for sslChoice.js to display that HTML error in the right place, with correct translation and without losing the current tab.

Tested with Firefox, Chrome, (not IE), Nginx, Apache, and I even tested what happens for clients who are still using the 2.0.7 js because of cache issues (it works, but no improved error messages for them!)

Demo with a choice of SSL/LDAP:

vokoscreen-2020-03-26_20-51-13

  • First try: certificate not provided
  • Second try: user abergin is denied by session opening rule
  • Third try: user abarnes is allowed
  • Fourth try: user dwho doesn not exist in LDAP
  • Fifth try: user davros has an expired/revoked certificate
Edited by Maxime Besson

Merge request reports