0

I would like to create a chain of HTTPS 302 redirects to a series of domains (for research purposes). I want also to make sure that I can do a redirect if one of the certificates in my chain has been rejected. That is I would like the following steps to occur:

  1. Do a redirect to URL 1
  2. The certificate gets rejected on the client due to some reason.
  3. Certificate rejection sends some sort of an indicator on the server, which then subsequently sends a redirect to another URL 2 with a valid certificate.

I do understand that a successful TLS negotiation needs to occur, before I am able to send an HTTPS 302 redirect to another location, but I was wondering if there is any indication on the server when an HTTPS certificate has been rejected (apart from not receiving any request even after some delay), to enable it to send a redirect to another URL with a valid certificate.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
QPTR
  • 257
  • 2
  • 7

1 Answers1

3

No, this isn't possible with browsers. The failure is signalled by the client, and at that point it won't retry the connection, and there's nothing the server can respond with to make that happen. If a server could cause this type of redirect it could be abused to fingerprint the client's TLS support.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • In what particular way it can be fingerprinted? – QPTR Mar 12 '19 at 16:35
  • @QPTR By continuously redirecting each time with different TLS options presented (e.g. supported cipher suite) to identify which ones throw an error and which ones are accepted. Essentially the same way a tool like sslscan or sslxray finds supported cipher suites on a server, except with a client redirect. – Polynomial Mar 12 '19 at 16:35
  • Thanks for the answer, makes sense. And there is absolutely no way this were possible? – QPTR Mar 12 '19 at 16:39
  • I could do this if it were a client-side redirection though? That is lets say I insert this Javascript that causes a series of redirections, on a success or failure of a previous redirection. – QPTR Mar 12 '19 at 16:50
  • 1
    @QPTR You can do it with some server-side code and a lot of iframes, but there would be other concerns with automatic forwarding on TLS failure (e.g. spoofing the redirect). But ultimately there is no facility to do automatic forwarding. – Polynomial Mar 12 '19 at 16:58
  • spoofing by the client? is that possible? – QPTR Mar 12 '19 at 17:10
  • 1
    @QPTR The feature doesn't exist, so no. My point was that if such a feature did exist the redirect location field must be protected against modification by an attacker in a MitM scenario, which is not really possible when the certificate was rejected. – Polynomial Mar 12 '19 at 17:32