Catch Dynamic CRL Errors and Return Friendly Page

Hi all,

I’ve implemented a TLS 1.3 mTLS HTTP virtual server, following the general instructions to support friendly HTTP errors as per Catch SSL Errors and return a friendly page... | DevCentral, with some slight adjustments.  This has worked great and I’ve been able to catch errors through checks against the SSL::verify_result value.  However, while this works using CRL File option, the behaviour is different when using Dynamic CRL.

It appears that using the CRL File option, all validation performed prior to the CLIENTSSL_CLIENTCERT event with the outcome provided in the SSL::verify_result.  When using CRL Validator all non CRL validation performed prior to CLIENTSSL_CLIENTCERT, then CRL Validator performs its operations after CLIENTSSL_CLIENTCERT and before the CLIENTSSL_HANDSHAKE event, where the SSL::verify_result value can change based on the CRL Validator outcome.  However, on most errors (from testing it appears to be all errors except for revoked status) processing fails and the CLIENTSSL_HANDSHAKE event is never reached.  Instead, a TLS protocol response returned directly to the calling client, removing the opportunity to catch and process the error and return an HTTP response.

Has anyone configured catching SSL/TLS errors using Dynamic CRL and sending friendly HTTP responses?  Any thoughts on how to address this?  This is specifically to cover all the CRLDP failing scenarios, such as for all the “unknown” certificate status triggers and for certificates missing the CRLDP extension.

Thanks for any help
Andrew