x509 login broken in Safari
Sean R. McNamara
sean.r.mcnamara at Dartmouth.EDU
Tue Jun 10 12:23:14 EDT 2008
Hi,
I posted a message about this last week but didn't hear anything back
from anyone. As of OS X 10.5.3, Apple changed the way client certs are
released. In the case that a [apache] server is configured with
SSLVerifyClient optional
you must specify an option on your client cert in the keychain to allow that cert to be released to that particular requesting server. (in this
case, our CAS server)
The problem is you cannot specify wildcards in the option, and it considers URL parameters as part of the fixed URL.
The end result is that CAS x509 auth breaks unless you were to explicitly specify every single possible entry point (i.e. every possible value
of the 'service' parameter), which isn't pretty for larger deployments.
Of course you can set SSLVerifyClient required, but this precludes anyone from doing any other form of authentication if they don't have a
client cert since the SSL Handshake will fail and then, game over.
It's a catch 22 either way. Has anyone else encountered this problem? If so, has anyone come up with any possible solutions?
I appreciate any help or advice that could be provided..
Thanks..
..Sean.
More information about the cas
mailing list