try to understand why to use SSLVerifyClient optional_no

Discussion:

try to understand why to use SSLVerifyClient optional_no_ca

d***@public.gmane.org

2010-02-20 14:38:19 UTC

Hello

I see in IDP documentation for Apache , that I need to put SSLVerifyClient optional_no_ca for the AA server.
Ok AA need to verify certificat why not...
What is the certicate to be check ? (SP ? my SP use http not https )
Sorry I don't understand this point.
I suppose the IDP's certificat to be check ? But how really works, no hand shake for my http SP...
I would like to understand better how the AA works. Could you tell me the operation in more detail. Sorry, I did not find any documentation on this specific subject.
Thanks a lot.

Best regards

David

Chad La Joie

2010-02-20 14:45:40 UTC

Permalink

That option does not stop any of the normal SSL flow, it only allows the
PKIX validation of the incoming certificate to be skipped (technically,
in the code, I think it fails and is silently ignored). So the
connection is still encrypted via the normal SSL/TLS mechanism.

The unchecked certificate, which is the SP's client certificate, is then
passed on to the IdP which then checks the certificate against the
metadata it has loaded. If this was not done you would have to extract
all certificates from the metadata, every time it changed, and populate
the directory used by openssl. You'd also have to make sure to remove
all the old ones and confirm various other things about the certificates.

In general, PKIX validation is very brittle and very difficult for
people to maintain properly. By using the metadata as a trust fabric,
instead of a bunch of CAs, we can ensure the same level of security
(some would argue greater security) whilst removing most of the
difficult parts of dealing with certificates.

Post by d***@public.gmane.org
Hello
I see in IDP documentation for Apache , that I need to put SSLVerifyClient optional_no_ca for the AA server.
Ok AA need to verify certificat why not...
What is the certicate to be check ? (SP ? my SP use http not https )
Sorry I don't understand this point.
I suppose the IDP's certificat to be check ? But how really works, no hand shake for my http SP...
I would like to understand better how the AA works. Could you tell me the operation in more detail. Sorry, I did not find any documentation on this specific subject.
Thanks a lot.
Best regards
David

--
Chad La Joie
www.itumi.biz
trusted identities, delivered

Scott Cantor

2010-02-20 21:35:44 UTC

Permalink

I would like to know which object ask to check the client certificate (
Server Apache of IDP or daemon shibd of SP).

Asking for a certificate from the client is the responsibility of the TLS
implementation. Doing something with the certificate is possible at a few
different layers. In no case does the SP have anything to do with it. I
don't know what picture you might have in your head, but the SP is the
client so obviously it has nothing to do with checking the client
certificate.

In the configuration of server
Apache of IDP for AA, the certificate is asked to be checked however I
didn't indicate the parameter "SSLVerifyClient require"!

Asked in what way? Based on what evidence?

What are the factors that trigger the need to put the option
"SSLVerifyClient optional_no_ca" while in most of the time you can omit

it?

You can't omit it, period. If it's not there, the certificate shouldn't ever
show up at the server, and if it's not set to that value, then either the
Apache configuration accidentally validated the certificate because it
happened to be commercially signed, or there was no back-channel involved to
begin with and it was never contacted.

-- Scott

d***@public.gmane.org

2010-02-20 21:17:18 UTC

Permalink

Thanks for your reply.

Actually, this is what I thought. But some shibboleth errors make me doubt about the mechanism involved.
I would like to know which object ask to check the client certificate ( Server Apache of IDP or daemon shibd of SP). In the configuration of server Apache of IDP for AA, the certificate is asked to be checked however I didnt indicate the parameter "SSLVerifyClient require"!
What are the factors that trigger the need to put the option "SSLVerifyClient optional_no_ca" while in most of the time you can omit it?

Thanks again

David

d***@public.gmane.org

2010-02-21 09:43:51 UTC

Permalink

Ok , I can't ommit this apache parameter SSLVerifyClient optional_no_ca.

I have SP 1.3 (linux fedora 4) and IDP 1.3 work well without this option.
I try to use SP 2 (linux x64) with the same IDP 1.3.
The SP log write for the AA sequence :

ERROR XMLTooling.SOAPTransport.CURL [2]: supplied TrustEngine failed to validate SSL/TLS server certificate

ERROR Shibboleth.AttributeResolver.Query [2]: exception during SAML query to https://myidp.aa:443/shibboleth/AA: CURLSOAPTransport failed while contacting SOAP endpoint (https://myidp.aa:443/shibboleth/AA): SSL certificate problem, verify that the CA cert is OK. Details:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
ERROR Shibboleth.AttributeResolver.Query [2]: unable to obtain a SAML response from attribute authority

In this help page https://spaces.internet2.edu/display/SHIB2/NativeSPTroubleshootingCommonErrors

recommend to use SSLVerifyClient optional_no_ca.
I just try to understand better why I don't need to use with may SP 1.3 and must use for may SP 2. I suppose that my SP certificat is wrong (Certificat auto generated by my SP).
And yes my IDP SSO is Http en my AA is https port 433 , use port 443 for AA could be bad?

Thanks a lot again for your help.

Best regards

David

Peter Schober

2010-02-21 12:40:15 UTC

Permalink

Post by d***@public.gmane.org
And yes my IDP SSO is Http en my AA is https port 433 , use port 443 for AA could be bad?

The short answer: You're not doing what is (or was) documented and
recommended by the project. Usually that means you know what you're
doing and you are hence on your own with all debugging. Doing things
differently for no appearent reason, and then asking the project what
all that means, is not a sensible strategy.

As for the AA sharing the same vhost with the rest of the IdP:
There used to be (and possibly still is) a problem with Apache httpd
where specifying certain mod_ssl directives only worked in server or
vhost context, not location (as would be needed to have the IdP SSO
application on the same vhost as the AA role).
Also some of the recent openssl security problems might still affect
you in this case (but check the archives, it's all in there).

But you really should update your IdP anyway and when you do that do
it by following the official install instructions for the 2.x IdP.
As you will see there is no mention (and no use) of Apache httpd
anywhere, so you can happily forget about all those questions.
-peter

Scott Cantor

2010-02-21 23:34:55 UTC

Permalink

The AA server use another key and certificat for https.

Then you need to put it in the metadata for the appropriate role. That's not
new. Your old SP would be failing in the same way.

Maybe,I should indicate somewhere the Https certificat server ?
How I could remove this certificat error ?

You should start by reading the background material before you continue to
deploy on your own.

https://spaces.internet2.edu/display/SHIB2/Metadata
https://spaces.internet2.edu/display/SHIB2/TrustManagement

-- Scott