the best way to explain my problem is to to explain the scenario first.
We have an Apache 2.2 on a Windows Server 2003.
If a user enters the page, the Apache checks a specific certificate(only our customers have). If it exists, everything is fine and the user can visit the page, if not user is redirected to another page.
Our problem: Cellphone Browsers can’t install the certificate. So what we want to do now is, to tell Apache: If the user comes from a cellphone browser, the user can enter the page even without certificate.
Maybe SSL_require is what we should change, but i have no idea what is to change.
I’m going to say, it’s probably not going to work out well trying to tell who’s a mobile user. HTTP AGENT isn’t going to tell you (necessarily) because all browsers are lying snots. Often the same browser name works for both desktop and mobile. You see sites like Facebook trying to manhandle it: the result seems to be, any browser names they don’t have in their list, get sent to mobile. This means the Konqueror desktop browser gets sent to mobile.
There are lists showing thousands of user agent strings which may or may not be mobile. Not really sure how Apache could reliably tell it’s a mobile or not. Browser sniffing is an option but not a nice one, for the reasons I gave above.
You might need to just have some text on your redirect page stating a certificate is necessary, and that your company is aware of the inability of mobiles to download the certificate. Not sure how important your certificate is?? Because if you were going to check user agent and just let mobiles through (meaning you might also get plenty of desktop browsers with lying names too) then you might as well have a link saying “click here if you can’t download the certificate” which brings them to your site. Which may end up defeating the purpose.
Stomme, only if he tries to redirect people to it… if he (however) has an indicator on the main site that a mobile friendly version is available (with a different method of authentication) then it should be fine. The main point is to ensure that you avoid sniffing for devices and make it as ubiquitous as possible.
I agree with Stomme, detecting user-agents is not the way to go because mobile devices (alike desktop browsers) can fake their details quite easily - and this renders all method of detection pointless, not to mention the fact that there’s around 250,000 different mobile handsets with unique user_agents in the world, and about 15 new devices released every single week. Management and reducing the redundancy of trying to check against all of those would be too much effort for too little in the way of pay-off. In regards to your specific problem… there are SSL certificates that are mobile compatible, but they are much harder to get hold of and their more expensive than their cheap desktop counterparts, perhaps your best bet would be to check with your certificate provider to ask about mobile device support (because it IS possible to have a mobile certificate - though I’m not sure how it would work in regards to installing). Otherwise I would say you would unfortunately have to either give up on relying on the custom certificate or block all mobile devices, because there’s nothing to stop someone who wants to bypass your system to simply use one of the many mobile device emulators to enter your system on a desktop undetected (and they would appear to you as a mobile device).