Re: multiple cosign configuration and runtime issues

[johanna bromberg craig <canna@xxxxxxxxx>]

Hey Ben,

On Nov 10, 2004, at 7:27 PM, Ben Poliakoff wrote:
> Issue #1
>
> When I try to logout something funny happens, apache give me an
> "internal error page" and I in my apache errorlog I see:
>
> /usr/local/cosign/certs/weblogin.reed.edu.key: No such file or 
> directory

Are mod_cosign and the cgi/daemon running on the same host? That error 
could be from the logout cgi. and not mod_cosign.

> My CosignCrypto looks like this:
>
> CosignCrypto    /var/cosign/certs/key.pem /var/cosign/certs/cert.pem 
> /var/cosign/certs/CA
>
> Shouldn't mod_cosign be looking for /var/cosign/certs/key.pem?

yes, you are 100% correct. This is why i think it's the logout cgi. :)

> Issue #2
>
> So I tried playing along and started making some symlinks so that
> /var/cosign/certs/key.pem was linked to
> /usr/local/cosign/certs/weblogin.reed.edu.key (ditto with the cert).
>
> This get's me a little further, but then I hit the next issue.
> My cert isn't verifying.  Stracing httpd I find that it thinks
> the CAdir is /usr/share/ssl/cert.pem! (i.e. it's looking for
> /usr/share/ssl/cert.pem/ddc328ff.0 and naturally not finding it).  I
> don't find the string "/usr/share/ssl/cert.pem" anywhere in cosign, but
> I do see it in in OpenSSL's "libcrypto.so", presumably it's a hard 
> coded
> default that's not getting overridden by any other setting.

once again this kinda depends on your setup of the cgi, the daemon, and 
the module. The cgi and daemon's cert/key/CAPath are built at compile 
time (tho you can override daemon's option on the cmd line) based on 
the options you give configure. mod_cosign's come from the CosignCrypto 
directive. I have no idea where " /usr/share/ssl/cert.pem" comes from, 
it is not a hardcoded default of ours at all. Maybe it's an OpenSSL 
conf thing? All part of cosign should be using their respective CApaths 
and nothing from openssl itself.

> Issue #3
>
> Playing along again I make /usr/share/ssl/cert.pem a link to
> /var/cosign/certs/CA/ (a directory that contains my cacerts and the 
> hash
> links to each of them).  This gets me just a little further.  But 
> logout
> still fails with
>
> apache's errorlog reporting:
>
>     net_logout: 511 LOGOUT: Invalid cookie name.
>
> and cosignd reporting to syslog:
>
>     cosignd[15584]: f_logout: cookie name contains '/'
>
> And indeed the cookie name *does* include a / (two of them actually).
> Here's the debug (slightly edited) output from cosignd:
>
>     debug: LOGOUT
>     cosign=FtSw0jUie..snip..8cAizQWFY/1100124532/2 xxx.xxx.xxx.xxx
>
> So I'm not sure if there are many problems here or just a single one.

this is 1.7.0? I have it running on our cosign-test and I am able to 
logout ok. There was a bug a while back when i first added the / bits 
that cosign.cgi knew about the /s and logout.cgi did not, but this has 
been fixed for a while. :)

put 2 fprintfs like this by this bit of code in logout.cgi (line 191):

    /* only the cosign= cookie and not the loop breaking info */
fprintf( stderr, "cookie with slash: %s\n", cookie );
    (void)strtok( cookie, "/" );
fprintf( stderr, "cookie NO slash: %s\n", cookie );

and in my logout cgi i get ( cookie truncated so as not to wrap too 
much):

cookie with slash: 
cosign=5EhvIA76oYEfHw8+EsRvK2iByG2rZSPagaytZpdSKPC9/1100134223/1
cookie NO slash: cosign=5EhvIA76oYEfHw8T+EsRvK2iByG2rZSPagaytZpdSKPC9

I'd like to see what you get. :)
-J