2010/9/21 Metzler, David <metzlerd@evergreen.edu>:
Hmmm... The reasoning seems sound, but although I'm the cas module maintainer, another developer contributed the code for that portion of the app. Could you do me a favor and log an issue on the cas project issue queue for this one? I'll see if I can get the original code contributer to respond.
Hi again, I figured this out in the meantime and I don't think there's a need for a new issue. Let me explain. - Drupal + cas: all there is wrong, is the wording in the aforementioned 3 options:
* do not verify the certificate * verify the server using PEM certificate
This is actually: do *client* authentication. This could be useful if you want the CAS server to identify the application that's trying to authenticate
* verify the CA using PEM certificate
This is actually the way certificates are usually used: make sure you are talking to the right server. And this actually works if you work around a certain bug: the openssl client is incompatible to the ssl implementation in Jave (OpenJDK) (and as far as I read around it's the JDK's fault). What you can try at the command line with openssl is this: openssl s_client -connect yourserver.example.com:443 -showcerts -no_ticket The last option Makes It Work (tm). Unfortunately you can't steer make curl modify this option, or set it as a default - it isn't configurable in eg openssl.cnf. So the only workaround is to recompile openssl without support for this functionality. -- Frank Van Damme No part of this copyright message may be reproduced, read or seen, dead or alive or by any means, including but not limited to telepathy without the benevolence of the author.