-
Bug
-
Resolution: Answered
-
High
-
None
-
2.2.7, 2.3.1
-
None
The issue:
when using self signed certificates for SSL, the apache mod_authnz_crowd module (Crowd Apache Connector) rejects the certificate regardless of configuration on the crowd server.
The symptoms:
when setting CrowdURL to a https value in apache you will receive a 500 error through the browser, looking in the apache error_log you will see: "Failed to send authentication request (CURLcode 60)" - this is returned by the CURL library that the module uses to make its connection, and error code 60 from the CURL library can be found here http://curl.haxx.se/libcurl/c/libcurl-errors.html
/>
CURLE_SSL_CACERT (60) - Peer certificate cannot be authenticated with known CA certificates.
A quick look at the CURL manual (http://curl.haxx.se/libcurl/c/curl_easy_setopt.html#CURLOPTSSLVERIFYPEER) reveals: This option determines whether curl verifies the authenticity of the peer's certificate. A value of 1 means curl verifies; 0 (zero) means it doesn't.
The Solution:
See attached patch file, simple one liner fix.
[CWD-2609] Crowd Apache Connector (mod_authnz_crowd) fails when using https with self signed certificates
| Workflow | Original: Simplified Crowd Development Workflow v2 - restricted [ 1509891 ] | New: JAC Bug Workflow v3 [ 3364823 ] |
| Status | Original: Resolved [ 5 ] | New: Closed [ 6 ] |
| Workflow | Original: Simplified Crowd Development Workflow v2 [ 1392398 ] | New: Simplified Crowd Development Workflow v2 - restricted [ 1509891 ] |
| Workflow | Original: Crowd Development Workflow v2 [ 339527 ] | New: Simplified Crowd Development Workflow v2 [ 1392398 ] |
Craig Gill
added a comment - As long as the curl option 'CURLOPT_SSL_VERIFYPEER' is being added, you should also add the option 'CURLOPT_SSL_VERIFYHOST'
'CURLOPT_SSL_VERIFYHOST' has a default option of 2 when not specified which makes curl verify the SSL host's name matches the SSL cert's common name or a SAN name.
In some cases where the SSL host's name doesn't match the SSL cert's common name or SAN name and that is OK for your environment, you want to set that option to 0 or in your Apache error log you will see this error 'Failed to send authentication request (CURLcode 51 - SSL peer certificate or SSH remote key was not OK)'
In 'crowd_client.c' at line 525 I added the below line and re-compiled the apache module to accomplish the above:
| curl_easy_setopt(curl_easy, CURLOPT_SSL_VERIFYHOST, 0) |
|---|
Craig Gill
added a comment - As long as the curl option 'CURLOPT_SSL_VERIFYPEER' is being added, you should also add the option 'CURLOPT_SSL_VERIFYHOST'
'CURLOPT_SSL_VERIFYHOST' has a default option of 2 when not specified which makes curl verify the SSL host's name matches the SSL cert's common name or a SAN name.
In some cases where the SSL host's name doesn't match the SSL cert's common name or SAN name and that is OK for your environment, you want to set that option to 0 or in your Apache error log you will see this error 'Failed to send authentication request (CURLcode 51 - SSL peer certificate or SSH remote key was not OK)'
In 'crowd_client.c' at line 525 I added the below line and re-compiled the apache module to accomplish the above:
curl_easy_setopt(curl_easy, CURLOPT_SSL_VERIFYHOST, 0)
| Resolution | New: Answered [ 9 ] | |
| Status | Original: Open [ 1 ] | New: Resolved [ 5 ] |
Thanks. I've committed that patch to the public Bitbucket repository: 7af3f02a1373, in a branch for now.
Justin Koke
made changes -
| Labels | Original: backlog |
Justin Koke
made changes -
| Labels | New: backlog |
Abigail Edwards
made changes -
| Attachment | New: crowd_client-ssl-verification.patch [ 62841 ] |
http://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYHOST.html