Friday, November 14, 2008

Catch SSL Certificate errors from HttpContext Request

A recent task was to try and redirect user entry points to an address that our web site's SSL certificate had been assigned to. An example follows to illustrate the problem.

User wants to get to a secured page quickly without going through the site's internal navigation links. From the browser's Address bar they enter https://example.com/accounts/ and the Certificate returns an error code that when looked up indicates:

Error code: ssl error bad cert domain

The certificate was issued to www.example.com and indicates that example.com uses an invalid security certificate.

I was hoping to be able to catch the request in the Application_BeginRequest event but the SSL error occurs before this. The only way that the Application_BeginRequest event is invoked is when the user clicks through the certificate error message to Proceed Anyway.
Here is an image of what to expect in Google Chrome.


The solution to this is simple but many System Admins prefer to have Dev implement a band-aid solution of redirecting traffic from the typical landing page. In other words look for a host request from example.com and redirect to http://www.example.com/ The true solution is to fix the certificate! Contact your SSL certificate provider and have them re-issue a certificate that includes a SubjectAlternativeName (SAN) entry. In our example this means theat traffic coming from either example.com or www.example.com would be correctly named and known to the certificate. In most cases the certificate authority's will do this at no additional cost. Lesson's learned!

In researching this issue it was a surprise to see that even Google has not fixed this issue yet! Again, no charge so fix it already!

1 comment:

Anonymous said...

I would never imagine the problem to exist given the workaround. Great solution! Thanks for sharing. I'd like to think I know a bit about SSL and SAN SSL Certs, but I wouldn't trust myself (and give me the headaches), so I use the UK's leading reseller in SSL certs, SSL247.co.uk.