CoSign: Collaborative Single Sign-On  
AnnouncementsDiscussion
 
 
home
download
build
overview
wiki
faq
filter
roadmap
license

cosign-discuss at umich.edu
general discussion of cosign development and deployment
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: access problem

Ok, this was my fault.  I assumed, since we had Openssl running on the web site that we had a random number generator.  However, after trying to create a test certificate using CA.pl, I noticed an Openssl error for PRNG, a random seed error.  So I got the HP KRNG depot file and fixed that issue.

Thanks much for your time.

-----Original Message-----
From: Goldrick, Jim 
Sent: Tuesday, November 02, 2004 7:31 AM
To: 'Wesley D Craig'
Cc: cosign-discuss@xxxxxxxxx
Subject: RE: access problem


Thanks Wesley,

Hope I can pick your brain a little more.  I put that in.  I also upgraded to OpenSSL 9.7e. Now I am getting this in the apache log:

snet_starttls: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protoc
ol
Unable to connect to any Cosign server.

this is in the syslog.log:

Nov  1 16:52:18 judsonhp cosignd[5759]: connect: 10.100.0.142
Nov  1 16:52:18 judsonhp cosignd[5759]: f_starttls: snet_starttls: error:140B544
E:SSL routines:SSL_GET_NEW_SESSION:ssl session id callback failed

Any suggestions or direction would be appreciated.  I am using self signed certs.  I read where you all used them and I am trying to test.  They do pass the basic verify test, however, I do not get much output when doing the openssl test on the list:

cat /dev/null | /opt/openssl-0.9.7e/apps/openssl s_client -connect acadinfo.juds
oncollege.edu:6663 -CApath /opt/apache/etc/ssl.crt  -cert /opt/apache/etc/ssl.cr
t/server.crt -key /opt/apache/etc/xxxxx.key/xxxxxxxxxx.key -starttls smtp

I am using the basic approach.

Thanks much

jim goldrick



-----Original Message-----
From: Wesley D Craig [mailto:wes@xxxxxxxxx]
Sent: Monday, November 01, 2004 6:17 PM
To: Goldrick, Jim
Cc: cosign-discuss@xxxxxxxxx
Subject: Re: access problem


On 29 Oct 2004, at 16:03, Goldrick, Jim wrote:
> Where does the Judson College come from?  The certificate?  Should it 
> be in the conf file?  here is that.

The string "Judson College" is coming from the CN of the certificate.  
You could put that name in the conf file, if the conf file supported 
quoting, which it doesn't currently.  Typically, certificates for web 
services have a hostname for the CN.  To get it to "just work" for 
testing purposes, you can specify a wildcard, e.g.,

	service	*	0

Hope that helps.

:wes
 
Copyright © 2002 - 2004 Regents of the University of Michigan :  Page last updated 15-December-2010