CoSign: Collaborative Single Sign-On  
AnnouncementsDiscussion
 

cosign-discuss at umich.edu
general discussion of cosign development and deployment
 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: multiple cosign configuration and runtime issues



Hey Ben,

On Nov 10, 2004, at 7:27 PM, Ben Poliakoff wrote:
Issue #1

When I try to logout something funny happens, apache give me an
"internal error page" and I in my apache errorlog I see:

/usr/local/cosign/certs/weblogin.reed.edu.key: No such file or directory

Are mod_cosign and the cgi/daemon running on the same host? That error could be from the logout cgi. and not mod_cosign.


My CosignCrypto looks like this:

CosignCrypto /var/cosign/certs/key.pem /var/cosign/certs/cert.pem /var/cosign/certs/CA

Shouldn't mod_cosign be looking for /var/cosign/certs/key.pem?

yes, you are 100% correct. This is why i think it's the logout cgi. :)



Issue #2


So I tried playing along and started making some symlinks so that
/var/cosign/certs/key.pem was linked to
/usr/local/cosign/certs/weblogin.reed.edu.key (ditto with the cert).

This get's me a little further, but then I hit the next issue.
My cert isn't verifying. Stracing httpd I find that it thinks
the CAdir is /usr/share/ssl/cert.pem! (i.e. it's looking for
/usr/share/ssl/cert.pem/ddc328ff.0 and naturally not finding it). I
don't find the string "/usr/share/ssl/cert.pem" anywhere in cosign, but
I do see it in in OpenSSL's "libcrypto.so", presumably it's a hard coded
default that's not getting overridden by any other setting.

once again this kinda depends on your setup of the cgi, the daemon, and the module. The cgi and daemon's cert/key/CAPath are built at compile time (tho you can override daemon's option on the cmd line) based on the options you give configure. mod_cosign's come from the CosignCrypto directive. I have no idea where " /usr/share/ssl/cert.pem" comes from, it is not a hardcoded default of ours at all. Maybe it's an OpenSSL conf thing? All part of cosign should be using their respective CApaths and nothing from openssl itself.



Issue #3


Playing along again I make /usr/share/ssl/cert.pem a link to
/var/cosign/certs/CA/ (a directory that contains my cacerts and the hash
links to each of them). This gets me just a little further. But logout
still fails with


apache's errorlog reporting:

net_logout: 511 LOGOUT: Invalid cookie name.

and cosignd reporting to syslog:

cosignd[15584]: f_logout: cookie name contains '/'

And indeed the cookie name *does* include a / (two of them actually).
Here's the debug (slightly edited) output from cosignd:

    debug: LOGOUT
    cosign=FtSw0jUie..snip..8cAizQWFY/1100124532/2 xxx.xxx.xxx.xxx

So I'm not sure if there are many problems here or just a single one.

this is 1.7.0? I have it running on our cosign-test and I am able to logout ok. There was a bug a while back when i first added the / bits that cosign.cgi knew about the /s and logout.cgi did not, but this has been fixed for a while. :)


put 2 fprintfs like this by this bit of code in logout.cgi (line 191):

    /* only the cosign= cookie and not the loop breaking info */
fprintf( stderr, "cookie with slash: %s\n", cookie );
    (void)strtok( cookie, "/" );
fprintf( stderr, "cookie NO slash: %s\n", cookie );

and in my logout cgi i get ( cookie truncated so as not to wrap too much):

cookie with slash: cosign=5EhvIA76oYEfHw8+EsRvK2iByG2rZSPagaytZpdSKPC9/1100134223/1
cookie NO slash: cosign=5EhvIA76oYEfHw8T+EsRvK2iByG2rZSPagaytZpdSKPC9


I'd like to see what you get. :)
-J



 
Copyright © 2002 - 2004 Regents of the University of Michigan :  Page last updated 15-December-2010