Uploaded image for project: 'Crowd Data Center'
  1. Crowd Data Center
  2. CWD-2609

Crowd Apache Connector (mod_authnz_crowd) fails when using https with self signed certificates

XMLWordPrintable

      The issue:

      when using self signed certificates for SSL, the apache mod_authnz_crowd module (Crowd Apache Connector) rejects the certificate regardless of configuration on the crowd server.

      The symptoms:

      when setting CrowdURL to a https value in apache you will receive a 500 error through the browser, looking in the apache error_log you will see: "Failed to send authentication request (CURLcode 60)" - this is returned by the CURL library that the module uses to make its connection, and error code 60 from the CURL library can be found here http://curl.haxx.se/libcurl/c/libcurl-errors.html
      />
      CURLE_SSL_CACERT (60) - Peer certificate cannot be authenticated with known CA certificates.

      A quick look at the CURL manual (http://curl.haxx.se/libcurl/c/curl_easy_setopt.html#CURLOPTSSLVERIFYPEER) reveals: This option determines whether curl verifies the authenticity of the peer's certificate. A value of 1 means curl verifies; 0 (zero) means it doesn't.

      The Solution:

      See attached patch file, simple one liner fix.

        1. crowd_client.patch
          0.6 kB
        2. crowd_client-ssl-verification.patch
          5 kB

            [CWD-2609] Crowd Apache Connector (mod_authnz_crowd) fails when using https with self signed certificates

            Craig Gill added a comment -

            http://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYHOST.html

            Craig Gill added a comment - http://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYHOST.html

            Craig Gill added a comment -

            As long as the curl option 'CURLOPT_SSL_VERIFYPEER' is being added, you should also add the option 'CURLOPT_SSL_VERIFYHOST'

            'CURLOPT_SSL_VERIFYHOST' has a default option of 2 when not specified which makes curl verify the SSL host's name matches the SSL cert's common name or a SAN name.

            In some cases where the SSL host's name doesn't match the SSL cert's common name or SAN name and that is OK for your environment, you want to set that option to 0 or in your Apache error log you will see this error 'Failed to send authentication request (CURLcode 51 - SSL peer certificate or SSH remote key was not OK)'

            In 'crowd_client.c' at line 525 I added the below line and re-compiled the apache module to accomplish the above:

            curl_easy_setopt(curl_easy, CURLOPT_SSL_VERIFYHOST, 0)

            Craig Gill added a comment - As long as the curl option 'CURLOPT_SSL_VERIFYPEER' is being added, you should also add the option 'CURLOPT_SSL_VERIFYHOST' 'CURLOPT_SSL_VERIFYHOST' has a default option of 2 when not specified which makes curl verify the SSL host's name matches the SSL cert's common name or a SAN name. In some cases where the SSL host's name doesn't match the SSL cert's common name or SAN name and that is OK for your environment, you want to set that option to 0 or in your Apache error log you will see this error 'Failed to send authentication request (CURLcode 51 - SSL peer certificate or SSH remote key was not OK)' In 'crowd_client.c' at line 525 I added the below line and re-compiled the apache module to accomplish the above: curl_easy_setopt(curl_easy, CURLOPT_SSL_VERIFYHOST, 0)

            joe added a comment -

            Thanks. I've committed that patch to the public Bitbucket repository: 7af3f02a1373, in a branch for now.

            joe added a comment - Thanks. I've committed that patch to the public Bitbucket repository : 7af3f02a1373 , in a branch for now.

            Abigail Edwards added a comment -

            I wrote a patch for my environment to extend the module to have some additional configuration directives to give you the option of specifying a path to curl's SSL certificate store or to allow you to choose to disable peer validation altogether. The module defaults to verifying peer SSL certificates but at least gives the end user the option of consciously choosing to disable the verification if they want to or need to (i.e. in the case of wildcard certs where even with the cert imported in curl the peer fails hostname validation).

            The patch is attached in a file called crowd_client-ssl-verification.patch and it adds two directives called CrowdCertPath and CrowdSSLVerifyPeer.

            Abigail Edwards added a comment - I wrote a patch for my environment to extend the module to have some additional configuration directives to give you the option of specifying a path to curl's SSL certificate store or to allow you to choose to disable peer validation altogether. The module defaults to verifying peer SSL certificates but at least gives the end user the option of consciously choosing to disable the verification if they want to or need to (i.e. in the case of wildcard certs where even with the cert imported in curl the peer fails hostname validation). The patch is attached in a file called crowd_client-ssl-verification.patch and it adds two directives called CrowdCertPath and CrowdSSLVerifyPeer.

            Adrian Hempel [Atlassian] added a comment - - edited

            While the provided fix overcomes the failure, it does compromise the security of the SSL connection to Crowd, as the Crowd server's SSL certificate will no longer be validated.

            It is not recommended by Atlassian.

            Instead, consider using the following patch as a workaround:

            --- src/crowd_client.orig    2011-07-29 15:44:46.000000000 +0800
+++ src/crowd_client.c    2011-07-29 15:33:29.000000000 +0800
@@ -517,6 +517,7 @@
#endif
            || curl_easy_setopt(curl_easy, CURLOPT_HTTPHEADER, headers)
            || curl_easy_setopt(curl_easy, CURLOPT_TIMEOUT, config->crowd_timeout)
+            || curl_easy_setopt(curl_easy, CURLOPT_CAINFO, "/path/to/the/certificate.crt")
            || (post && (curl_easy_setopt(curl_easy, CURLOPT_POST, 1)
            || curl_easy_setopt(curl_easy, CURLOPT_READFUNCTION, read_crowd_authentication_request)
            || curl_easy_setopt(curl_easy, CURLOPT_READDATA, &read_data)

            Where "/path/to/the/certificate.crt" is a file containing the certifcate.

            Adrian Hempel [Atlassian] added a comment - - edited While the provided fix overcomes the failure, it does compromise the security of the SSL connection to Crowd, as the Crowd server's SSL certificate will no longer be validated. It is not recommended by Atlassian. Instead, consider using the following patch as a workaround: --- src/crowd_client.orig 2011-07-29 15:44:46.000000000 +0800 +++ src/crowd_client.c 2011-07-29 15:33:29.000000000 +0800 @@ -517,6 +517,7 @@ #endif || curl_easy_setopt(curl_easy, CURLOPT_HTTPHEADER, headers) || curl_easy_setopt(curl_easy, CURLOPT_TIMEOUT, config->crowd_timeout) + || curl_easy_setopt(curl_easy, CURLOPT_CAINFO, "/path/to/the/certificate.crt") || (post && (curl_easy_setopt(curl_easy, CURLOPT_POST, 1) || curl_easy_setopt(curl_easy, CURLOPT_READFUNCTION, read_crowd_authentication_request) || curl_easy_setopt(curl_easy, CURLOPT_READDATA, &read_data) Where "/path/to/the/certificate.crt" is a file containing the certifcate.

              Unassigned Unassigned
              cb55b8a8874b Moodle Sysadmin
              Affected customers:
              0 This affects my team
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved:

                  Estimated:
                  Original Estimate - 1h
                  1h
                  Remaining:
                  Remaining Estimate - 1h
                  1h
                  Logged:
                  Time Spent - Not Specified
                  Not Specified