2010/9/21 Metzler, David metzlerd@evergreen.edu:
Hmmm... The reasoning seems sound, but although I'm the cas module maintainer, another developer contributed the code for that portion of the app. Could you do me a favor and log an issue on the cas project issue queue for this one? I'll see if I can get the original code contributer to respond.
Hi again,
I figured this out in the meantime and I don't think there's a need for a new issue. Let me explain.
- Drupal + cas: all there is wrong, is the wording in the aforementioned 3 options:
- do not verify the certificate
- verify the server using PEM certificate
This is actually: do *client* authentication. This could be useful if you want the CAS server to identify the application that's trying to authenticate
- verify the CA using PEM certificate
This is actually the way certificates are usually used: make sure you are talking to the right server. And this actually works if you work around a certain bug: the openssl client is incompatible to the ssl implementation in Jave (OpenJDK) (and as far as I read around it's the JDK's fault). What you can try at the command line with openssl is this:
openssl s_client -connect yourserver.example.com:443 -showcerts -no_ticket
The last option Makes It Work (tm).
Unfortunately you can't steer make curl modify this option, or set it as a default - it isn't configurable in eg openssl.cnf. So the only workaround is to recompile openssl without support for this functionality.