x509 login broken in Safari
Shi Yusen
shiys at langhua.cn
Tue Jun 10 15:07:20 EDT 2008
Do you mean you want to use multiple CRLs?
在 2008-06-10二的 12:23 -0400,Sean R. McNamara写道:
> Hi,
>
> I posted a message about this last week but didn't hear anything back
> from anyone. As of OS X 10.5.3, Apple changed the way client certs are
> released. In the case that a [apache] server is configured with
>
> SSLVerifyClient optional
>
> you must specify an option on your client cert in the keychain to allow that cert to be released to that particular requesting server. (in this
> case, our CAS server)
> The problem is you cannot specify wildcards in the option, and it considers URL parameters as part of the fixed URL.
>
> The end result is that CAS x509 auth breaks unless you were to explicitly specify every single possible entry point (i.e. every possible value
> of the 'service' parameter), which isn't pretty for larger deployments.
>
> Of course you can set SSLVerifyClient required, but this precludes anyone from doing any other form of authentication if they don't have a
> client cert since the SSL Handshake will fail and then, game over.
>
> It's a catch 22 either way. Has anyone else encountered this problem? If so, has anyone come up with any possible solutions?
>
> I appreciate any help or advice that could be provided..
>
> Thanks..
>
> ..Sean.
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
More information about the cas
mailing list