Hi list!
I'm setting up the drupal CAS plugin for the CAS authentication system. Basically the Drupal plugin checks with curl to a server running CAS to see if a ticket is valid. Which happens over ssl, and which fails. I'm using self-signed cert, which works nicely, and I have put the PEM certificate in the CAS module config box for "CAS PEM Certificate" on Drupal.
There are 3 options. * do not verify the certificate * verify the server using PEM certificate * verify the CA using PEM certificate
I use the second option and I feed Drupal the certificate that the CAS server (Tomcat app speaking https) uses. I get an error in the cas/drupal debug log:
CURL error #58: unable to set private key file: '/root/tomcat.pem'.
That's confusing because it obviously needs a *public* key file, no?
Hmmm... The reasoning seems sound, but although I'm the cas module maintainer, another developer contributed the code for that portion of the app. Could you do me a favor and log an issue on the cas project issue queue for this one? I'll see if I can get the original code contributer to respond.
Dave
-----Original Message----- From: support-bounces@drupal.org [mailto:support-bounces@drupal.org] On Behalf Of Frank Van Damme Sent: Tuesday, September 21, 2010 1:40 AM To: support@drupal.org Subject: [support] CAS plugin: SSL error in verifying ticket
Hi list!
I'm setting up the drupal CAS plugin for the CAS authentication system. Basically the Drupal plugin checks with curl to a server running CAS to see if a ticket is valid. Which happens over ssl, and which fails. I'm using self-signed cert, which works nicely, and I have put the PEM certificate in the CAS module config box for "CAS PEM Certificate" on Drupal.
There are 3 options. * do not verify the certificate * verify the server using PEM certificate * verify the CA using PEM certificate
I use the second option and I feed Drupal the certificate that the CAS server (Tomcat app speaking https) uses. I get an error in the cas/drupal debug log:
CURL error #58: unable to set private key file: '/root/tomcat.pem'.
That's confusing because it obviously needs a *public* key file, no? -- [ Drupal support list | http://lists.drupal.org/ ]
2010/9/21 Metzler, David metzlerd@evergreen.edu:
Hmmm... The reasoning seems sound, but although I'm the cas module maintainer, another developer contributed the code for that portion of the app. Could you do me a favor and log an issue on the cas project issue queue for this one? I'll see if I can get the original code contributer to respond.
Hi again,
I figured this out in the meantime and I don't think there's a need for a new issue. Let me explain.
- Drupal + cas: all there is wrong, is the wording in the aforementioned 3 options:
- do not verify the certificate
- verify the server using PEM certificate
This is actually: do *client* authentication. This could be useful if you want the CAS server to identify the application that's trying to authenticate
- verify the CA using PEM certificate
This is actually the way certificates are usually used: make sure you are talking to the right server. And this actually works if you work around a certain bug: the openssl client is incompatible to the ssl implementation in Jave (OpenJDK) (and as far as I read around it's the JDK's fault). What you can try at the command line with openssl is this:
openssl s_client -connect yourserver.example.com:443 -showcerts -no_ticket
The last option Makes It Work (tm).
Unfortunately you can't steer make curl modify this option, or set it as a default - it isn't configurable in eg openssl.cnf. So the only workaround is to recompile openssl without support for this functionality.
-
Frank Van Damme -
Metzler, David