cosign-discuss at umich.edu
general discussion of cosign development and deployment
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: access problem
Ok, this was my fault. I assumed, since we had Openssl running on the web site that we had a random number generator. However, after trying to create a test certificate using CA.pl, I noticed an Openssl error for PRNG, a random seed error. So I got the HP KRNG depot file and fixed that issue.
Thanks much for your time.
From: Goldrick, Jim
Sent: Tuesday, November 02, 2004 7:31 AM
To: 'Wesley D Craig'
Subject: RE: access problem
Hope I can pick your brain a little more. I put that in. I also upgraded to OpenSSL 9.7e. Now I am getting this in the apache log:
snet_starttls: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protoc
Unable to connect to any Cosign server.
this is in the syslog.log:
Nov 1 16:52:18 judsonhp cosignd: connect: 10.100.0.142
Nov 1 16:52:18 judsonhp cosignd: f_starttls: snet_starttls: error:140B544
E:SSL routines:SSL_GET_NEW_SESSION:ssl session id callback failed
Any suggestions or direction would be appreciated. I am using self signed certs. I read where you all used them and I am trying to test. They do pass the basic verify test, however, I do not get much output when doing the openssl test on the list:
cat /dev/null | /opt/openssl-0.9.7e/apps/openssl s_client -connect acadinfo.juds
oncollege.edu:6663 -CApath /opt/apache/etc/ssl.crt -cert /opt/apache/etc/ssl.cr
t/server.crt -key /opt/apache/etc/xxxxx.key/xxxxxxxxxx.key -starttls smtp
I am using the basic approach.
From: Wesley D Craig [mailto:wes@xxxxxxxxx]
Sent: Monday, November 01, 2004 6:17 PM
To: Goldrick, Jim
Subject: Re: access problem
On 29 Oct 2004, at 16:03, Goldrick, Jim wrote:
> Where does the Judson College come from? The certificate? Should it
> be in the conf file? here is that.
The string "Judson College" is coming from the CN of the certificate.
You could put that name in the conf file, if the conf file supported
quoting, which it doesn't currently. Typically, certificates for web
services have a hostname for the CN. To get it to "just work" for
testing purposes, you can specify a wildcard, e.g.,
service * 0
Hope that helps.