cosign-discuss at umich.edu
general discussion of cosign development and deployment
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: multiple cosign configuration and runtime issues
On Nov 10, 2004, at 7:27 PM, Ben Poliakoff wrote:
When I try to logout something funny happens, apache give me an
"internal error page" and I in my apache errorlog I see:
/usr/local/cosign/certs/weblogin.reed.edu.key: No such file or
Are mod_cosign and the cgi/daemon running on the same host? That error
could be from the logout cgi. and not mod_cosign.
My CosignCrypto looks like this:
CosignCrypto /var/cosign/certs/key.pem /var/cosign/certs/cert.pem
Shouldn't mod_cosign be looking for /var/cosign/certs/key.pem?
yes, you are 100% correct. This is why i think it's the logout cgi. :)
So I tried playing along and started making some symlinks so that
/var/cosign/certs/key.pem was linked to
/usr/local/cosign/certs/weblogin.reed.edu.key (ditto with the cert).
This get's me a little further, but then I hit the next issue.
My cert isn't verifying. Stracing httpd I find that it thinks
the CAdir is /usr/share/ssl/cert.pem! (i.e. it's looking for
/usr/share/ssl/cert.pem/ddc328ff.0 and naturally not finding it). I
don't find the string "/usr/share/ssl/cert.pem" anywhere in cosign, but
I do see it in in OpenSSL's "libcrypto.so", presumably it's a hard
default that's not getting overridden by any other setting.
once again this kinda depends on your setup of the cgi, the daemon, and
the module. The cgi and daemon's cert/key/CAPath are built at compile
time (tho you can override daemon's option on the cmd line) based on
the options you give configure. mod_cosign's come from the CosignCrypto
directive. I have no idea where " /usr/share/ssl/cert.pem" comes from,
it is not a hardcoded default of ours at all. Maybe it's an OpenSSL
conf thing? All part of cosign should be using their respective CApaths
and nothing from openssl itself.
Playing along again I make /usr/share/ssl/cert.pem a link to
/var/cosign/certs/CA/ (a directory that contains my cacerts and the
links to each of them). This gets me just a little further. But
still fails with
apache's errorlog reporting:
net_logout: 511 LOGOUT: Invalid cookie name.
and cosignd reporting to syslog:
cosignd: f_logout: cookie name contains '/'
And indeed the cookie name *does* include a / (two of them actually).
Here's the debug (slightly edited) output from cosignd:
So I'm not sure if there are many problems here or just a single one.
this is 1.7.0? I have it running on our cosign-test and I am able to
logout ok. There was a bug a while back when i first added the / bits
that cosign.cgi knew about the /s and logout.cgi did not, but this has
been fixed for a while. :)
put 2 fprintfs like this by this bit of code in logout.cgi (line 191):
/* only the cosign= cookie and not the loop breaking info */
fprintf( stderr, "cookie with slash: %s\n", cookie );
(void)strtok( cookie, "/" );
fprintf( stderr, "cookie NO slash: %s\n", cookie );
and in my logout cgi i get ( cookie truncated so as not to wrap too
cookie with slash:
cookie NO slash: cosign=5EhvIA76oYEfHw8T+EsRvK2iByG2rZSPagaytZpdSKPC9
I'd like to see what you get. :)