	cosign-discuss at umich.edu
	general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: runtime requirements for IISCosign

To: Phil Pishioneri <pgp@xxxxxxx>, Cosign Discussion <cosign-discuss@xxxxxxxxx>
Subject: Re: runtime requirements for IISCosign
From: jarod@xxxxxxxxx
Date: Mon, 19 Apr 2004 16:20:41 -0400
In-reply-to: <40804DB3.7080909@psu.edu>
References: <407B0BC9.1060100@psu.edu> <506695028.1081792561@spike.itd.umich.edu> <40804DB3.7080909@psu.edu>
Sender: jarod@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Phil,

I think I can see what is happening. In the first scenario the CA file doesn't 'match-up' with the provided key/cert pair. This causes the OpenSSL libraries to fail. In the second case (when you renamed the file) your cosign.dll.config file is still pointing to the previous file name for the CA file. It can't find the file so it fails.

Sorry the messages are verbose and confusing. I tried to leverage each libraries' error-reporting routines when possible. Do you (or anybody else reading this :) think it would be helpful if the IISCosign log files suggested solutions? For example:

[ti:me:stamp] SetCosignCerts failed. Make sure file paths are correct in cosign.dll.config and certificate files are valid.

Maybe the latter part is a bit vague, but something similar perhaps?

--Jarod Malestein
--University of Michigan
--ITCS

--On Friday, April 16, 2004 5:18 PM -0400 Phil Pishioneri <pgp@xxxxxxx> wrote:

On 4/12/04 5:56 PM, jarod@xxxxxxxxx wrote:

> Almost everything you need to run IISCosign is included with the
> installer. ...
>
> The extra run-time requirements involves SSL certificates.  You will
> need a certificate authority file as well as a private key and a
> signed certificate.


I had been testing on apache earlier with my own CA, which was working
fine.

> Were you having trouble getting IISCosign to load?  Did any of this
> help?


Yes, it was related to my CA file (almost seems related to the name I'd
choose for it), and I still don't know why it works now.  I could use the
openssl you supply to examine both CA files without any problems.

When the filter would fail for me (specifying it in CAFilePath),
CosignLog.csl (trimmed) would show this error (note the first "line 556"
entry)

> GetFilterVersion: Getting SSL certificates.
> SSL_CTX_load_verify_locations( C:\Program
> Files\IISCosign\SSL\ASET-CA.pem ) failed.
> D:\Dev\cvsified\IISCosign\Cosign\CosignMain.cpp line 556: SSL Error:
> Input/output error
> fopen
> system library
> D:\Dev\cvsified\IISCosign\Cosign\CosignMain.cpp line 556: SSL Error:
> system lib
> BIO_new_file
> BIO routines
> D:\Dev\cvsified\IISCosign\Cosign\CosignMain.cpp line 556: SSL Error:
> system lib
> X509_load_cert_crl_file
> x509 certificate routines
> GetFilterVersion::SetCosignCerts() failed
> Terminating Cosign Filter

which isn't quite the same as when I'd rename the file to see if I had
mistyped the path

> GetFilterVersion: Getting SSL certificates.
> SSL_CTX_load_verify_locations( C:\Program
> Files\IISCosign\SSL\ASET-CA.pem ) failed.
> D:\Dev\cvsified\IISCosign\Cosign\CosignMain.cpp line 556: SSL Error:
> No such file or directory
> fopen
> system library
> D:\Dev\cvsified\IISCosign\Cosign\CosignMain.cpp line 556: SSL Error:
> no such file
> BIO_new_file
> BIO routines
> D:\Dev\cvsified\IISCosign\Cosign\CosignMain.cpp line 556: SSL Error:
> system lib
> X509_load_cert_crl_file
> x509 certificate routines
> GetFilterVersion::SetCosignCerts() failed
> Terminating Cosign Filter

I would like to get a handle on this for when we start deploying the
service.

-Phil

References:
- runtime requirements for IISCosign
  - From: Phil Pishioneri
- Re: runtime requirements for IISCosign
  - From: jarod
- Re: runtime requirements for IISCosign
  - From: Phil Pishioneri

Prev by Date: Re: Using UM cerfificate for cosign
Next by Date: RE: runtime requirements for IISCosign
Previous by thread: Re: runtime requirements for IISCosign
Next by thread: Excluding a directory from the cosign filter
Index(es):
- Date
- Thread