CAS plugin: SSL error in verifying ticket
Hi list! I'm setting up the drupal CAS plugin for the CAS authentication system. Basically the Drupal plugin checks with curl to a server running CAS to see if a ticket is valid. Which happens over ssl, and which fails. I'm using self-signed cert, which works nicely, and I have put the PEM certificate in the CAS module config box for "CAS PEM Certificate" on Drupal. There are 3 options. * do not verify the certificate * verify the server using PEM certificate * verify the CA using PEM certificate I use the second option and I feed Drupal the certificate that the CAS server (Tomcat app speaking https) uses. I get an error in the cas/drupal debug log: CURL error #58: unable to set private key file: '/root/tomcat.pem'. That's confusing because it obviously needs a *public* key file, no?
Hmmm... The reasoning seems sound, but although I'm the cas module maintainer, another developer contributed the code for that portion of the app. Could you do me a favor and log an issue on the cas project issue queue for this one? I'll see if I can get the original code contributer to respond. Dave -----Original Message----- From: support-bounces@drupal.org [mailto:support-bounces@drupal.org] On Behalf Of Frank Van Damme Sent: Tuesday, September 21, 2010 1:40 AM To: support@drupal.org Subject: [support] CAS plugin: SSL error in verifying ticket Hi list! I'm setting up the drupal CAS plugin for the CAS authentication system. Basically the Drupal plugin checks with curl to a server running CAS to see if a ticket is valid. Which happens over ssl, and which fails. I'm using self-signed cert, which works nicely, and I have put the PEM certificate in the CAS module config box for "CAS PEM Certificate" on Drupal. There are 3 options. * do not verify the certificate * verify the server using PEM certificate * verify the CA using PEM certificate I use the second option and I feed Drupal the certificate that the CAS server (Tomcat app speaking https) uses. I get an error in the cas/drupal debug log: CURL error #58: unable to set private key file: '/root/tomcat.pem'. That's confusing because it obviously needs a *public* key file, no? -- [ Drupal support list | http://lists.drupal.org/ ]
2010/9/21 Metzler, David <metzlerd@evergreen.edu>:
Hmmm... The reasoning seems sound, but although I'm the cas module maintainer, another developer contributed the code for that portion of the app. Could you do me a favor and log an issue on the cas project issue queue for this one? I'll see if I can get the original code contributer to respond.
Hi again, I figured this out in the meantime and I don't think there's a need for a new issue. Let me explain. - Drupal + cas: all there is wrong, is the wording in the aforementioned 3 options:
* do not verify the certificate * verify the server using PEM certificate
This is actually: do *client* authentication. This could be useful if you want the CAS server to identify the application that's trying to authenticate
* verify the CA using PEM certificate
This is actually the way certificates are usually used: make sure you are talking to the right server. And this actually works if you work around a certain bug: the openssl client is incompatible to the ssl implementation in Jave (OpenJDK) (and as far as I read around it's the JDK's fault). What you can try at the command line with openssl is this: openssl s_client -connect yourserver.example.com:443 -showcerts -no_ticket The last option Makes It Work (tm). Unfortunately you can't steer make curl modify this option, or set it as a default - it isn't configurable in eg openssl.cnf. So the only workaround is to recompile openssl without support for this functionality. -- Frank Van Damme No part of this copyright message may be reproduced, read or seen, dead or alive or by any means, including but not limited to telepathy without the benevolence of the author.
participants (2)
-
Frank Van Damme -
Metzler, David