Re: runtime requirements for IISCosign

[jarod@xxxxxxxxx]

Phil,

I think I can see what is happening.  In the first scenario the CA file 
doesn't 'match-up' with the provided key/cert pair.  This causes the 
OpenSSL libraries to fail.  In the second case (when you renamed the file) 
your cosign.dll.config file is still pointing to the previous file name for 
the CA file.  It can't find the file so it fails.

Sorry the messages are verbose and confusing.  I tried to leverage each 
libraries' error-reporting routines when possible.  Do you (or anybody else 
reading this :) think it would be helpful if the IISCosign log files 
suggested solutions?  For example:

[ti:me:stamp] SetCosignCerts failed.  Make sure file paths are correct in 
cosign.dll.config and certificate files are valid.

Maybe the latter part is a bit vague, but something similar perhaps?

--Jarod Malestein
--University of Michigan
--ITCS

--On Friday, April 16, 2004 5:18 PM -0400 Phil Pishioneri <pgp@xxxxxxx> 
wrote:

> On 4/12/04 5:56 PM, jarod@xxxxxxxxx wrote:
>
> > Almost everything you need to run IISCosign is included with the
> > installer. ...
> >
> > The extra run-time requirements involves SSL certificates.  You will
> > need a certificate authority file as well as a private key and a
> > signed certificate.
>
>
> I had been testing on apache earlier with my own CA, which was working
> fine.
>
> > Were you having trouble getting IISCosign to load?  Did any of this
> > help?
>
>
> Yes, it was related to my CA file (almost seems related to the name I'd
> choose for it), and I still don't know why it works now.  I could use the
> openssl you supply to examine both CA files without any problems.
>
> When the filter would fail for me (specifying it in CAFilePath),
> CosignLog.csl (trimmed) would show this error (note the first "line 556"
> entry)
>
> > GetFilterVersion: Getting SSL certificates.
> > SSL_CTX_load_verify_locations( C:\Program
> > Files\IISCosign\SSL\ASET-CA.pem ) failed.
> > D:\Dev\cvsified\IISCosign\Cosign\CosignMain.cpp line 556: SSL Error:
> > Input/output error
> > fopen
> > system library
> > D:\Dev\cvsified\IISCosign\Cosign\CosignMain.cpp line 556: SSL Error:
> > system lib
> > BIO_new_file
> > BIO routines
> > D:\Dev\cvsified\IISCosign\Cosign\CosignMain.cpp line 556: SSL Error:
> > system lib
> > X509_load_cert_crl_file
> > x509 certificate routines
> > GetFilterVersion::SetCosignCerts() failed
> > Terminating Cosign Filter
>
> which isn't quite the same as when I'd rename the file to see if I had
> mistyped the path
>
> > GetFilterVersion: Getting SSL certificates.
> > SSL_CTX_load_verify_locations( C:\Program
> > Files\IISCosign\SSL\ASET-CA.pem ) failed.
> > D:\Dev\cvsified\IISCosign\Cosign\CosignMain.cpp line 556: SSL Error:
> > No such file or directory
> > fopen
> > system library
> > D:\Dev\cvsified\IISCosign\Cosign\CosignMain.cpp line 556: SSL Error:
> > no such file
> > BIO_new_file
> > BIO routines
> > D:\Dev\cvsified\IISCosign\Cosign\CosignMain.cpp line 556: SSL Error:
> > system lib
> > X509_load_cert_crl_file
> > x509 certificate routines
> > GetFilterVersion::SetCosignCerts() failed
> > Terminating Cosign Filter
>
> I would like to get a handle on this for when we start deploying the
> service.
>
> -Phil