SSL cert errors using mod_auth_cas
Phillip Ames
phillip.ames at uconn.edu
Wed Aug 1 19:42:26 EDT 2007
Hi,
I just committed to SVN version 0.9.6 which now implements a new directive,
'CASValidateDepth' (default value: 9 - I believe this is what OpenSSL uses
as a default). This should alleviate any problems you are having.
Thanks for the troubleshooting & bug report. If you have any more problems,
let me know.
-Phil
On 8/1/07 5:17 PM, "Josh Kelley" <joshkel at gmail.com> wrote:
> Paul Ortman (portman at goshen.edu) wrote:
>
>> I'm attempting to get mod_auth_cas working as a CAS client and can't
>> seem to get it to trust my CAS server (login.goshen.edu). In the
>> Apache error log I get:
>>
>> MOD_AUTH_CAS: Could not perform SSL handshake with
>> login.goshen.edu (check CASCertificatePath), referer:
>> http://wiki.goshen.edu/twiki/bin/view/lib/WebHome
>
> I've been dealing with what I think is a similar issue in our
> deployment. From what I can tell, mod_auth_cas sets an SSL verify
> depth limit of 1, which means that it will refuse to verify chained
> SSL certificates, such as IPS CA returns. I believe this is a bug, so
> I logged it on JIRA:
>
> http://www.ja-sig.org/issues/browse/MAS-2
>
> In the meantime, you can easily fix it by patching mod_auth_cas.c;
> just delete the line
> SSL_CTX_set_verify_depth(ctx, 1);
>
> Hope that helps.
>
> Josh Kelley
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
More information about the cas
mailing list