[support] CAS plugin: SSL error in verifying ticket

[Frank Van Damme]

2010/9/21 Metzler, David <metzlerd at evergreen.edu>:
> Hmmm... The reasoning seems sound, but although I'm the cas module
> maintainer, another developer contributed the code for that portion of
> the app.  Could you do me a favor and log an issue on the cas project
> issue queue for this one?  I'll see if I can get the original code
> contributer to respond.

Hi again,

I figured this out in the meantime and I don't think there's a need
for a new issue. Let me explain.

- Drupal + cas: all there is wrong, is the wording in the
aforementioned 3 options:

> * do not verify the certificate
> * verify the server using PEM certificate

This is actually: do *client* authentication. This could be useful if
you want the CAS server to identify the application that's trying to
authenticate

> * verify the CA using PEM certificate

This is actually the way certificates are usually used: make sure you
are talking to the right server. And this actually works if you work
around a certain bug: the openssl client is incompatible to the ssl
implementation in Jave (OpenJDK) (and as far as I read around it's the
JDK's fault). What you can try at the command line with openssl is
this:

openssl s_client -connect yourserver.example.com:443  -showcerts -no_ticket

The last option Makes It Work (tm).

Unfortunately you can't steer make curl modify this option, or set it
as a default - it isn't configurable in eg openssl.cnf. So the only
workaround is to recompile openssl without support for this
functionality.


-- 
Frank Van Damme
No part of this copyright message may be reproduced, read or seen,
dead or alive or by any means, including but not limited to telepathy
without the benevolence of the author.