Thanks, I am still get the error:num=20. I wonder if the issue is that the root cert for our CAS server is chained? Anyway I'll get the guys that run our CAS server to resend me the root certs. Maybe they just didn't send me the right cert.
Bryan Wooten [email protected] Work: 801.585.9323 Cell: 801.414.3593 -----Original Message----- From: Matthew J. Smith [mailto:[email protected]] Sent: Friday, August 27, 2010 1:31 PM To: [email protected] Subject: RE: [cas-user] Question re: mod_auth_cas vs. cas java filters Bryan- Run your openssl s_client command again, but specify -CApath to point to the same location as CASCertificatePath. If that doesn't clear up your error:num=20, then something is amiss with your root cert. -Matt On Fri, 2010-08-27 at 15:24 -0400, Bryan Wooten wrote: > Thanks for the reply. > > Our cas server is ulogin.utah.edu, it's cert's CN is *.utah.edu. > > It didn't even occur to me that java was doing the server validation behind > the scenes... > > Now I am even more curious as to why our java CASified apps can talk to our > CAS server with no problem but my apache server with mod_auth_cas gets the > name validation error. > > I wonder if there is something amiss in my openssl installation (or > mod_auth_cas build?) on the apache server (running on windows server). > > There is probably a clue in here somewhere: > > C:\OPENSS~1>openssl s_client -host ulogin.utah.edu -port 443 > Loading 'screen' into random state - done > CONNECTED(000000E0) > depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Glo > > verify error:num=20:unable to get local issuer certificate > verify return:0 > --- > Certificate chain > 0 s:/C=US/ST=Utah/L=Salt Lake City/O=The University of Utah/OU=Office of > ation Technology/CN=*.utah.edu > i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global CA > 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global CA > i:/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits li > U=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification > ity > --- > Server certificate > -----BEGIN CERTIFICATE----- > MIIG9TCCBd2gAwIBAgIQD9hvzFZFS/efZthhYRN+UzANBgkqhkiG9w0BAQUFADBc > MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 > d3cuZGlnaWNlcnQuY29tMRswGQYDVQQDExJEaWdpQ2VydCBHbG9iYWwgQ0EwHhcN > MDcwNTE4MDAwMDAwWhcNMTAwOTE3MjM1OTU5WjCBljELMAkGA1UEBhMCVVMxDTAL > BgNVBAgTBFV0YWgxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR8wHQYDVQQKExZU > aGUgVW5pdmVyc2l0eSBvZiBVdGFoMSkwJwYDVQQLEyBPZmZpY2Ugb2YgSW5mb3Jt > YXRpb24gVGVjaG5vbG9neTETMBEGA1UEAxQKKi51dGFoLmVkdTCCASIwDQYJKoZI > hvcNAQEBBQADggEPADCCAQoCggEBALCoBRXKMHgCPnBRbmHwsdmPDU9lkaJWfKz4 > UmdvHn7szjAVxKeKV/N7V1LGB0jtK6NJKZLmnyPAV/JX9LOpzx0pbVzmWKR+skH6 > ouPpsb6Gcm0Mb+mAHzduN0Q/CMzJk5lMn+x3yfWZgB/YfYq70YYz8u1qQdYXcvgp > LHermWNNWuaSJ+hGF4jVg0aStOP0f1T6OgnCBfcnXPtYUSfSWqJknqBZfRo2/5dR > F3idEYktAfJwsvHcx+zy1oGDfOQyg9Ny6PvTiNyE47i+GTSf2iCGYWqmky/V4MIb > rQRSJ9qfLvYeejl+OsCMJazU/ieiSQFjN8v4mVyMJmwt8EVVe9kCAwEAAaOCA3Yw > ggNyMB8GA1UdIwQYMBaAFKfHE6B6ATyd74JIgkjVc1G2ElYqMB0GA1UdDgQWBBRU > HUeNjB7VadyhpNpYbKmRjluHVzAwBgNVHREEKTAngg91bG9naW4udXRhaC5lZHWC > CHV0YWguZWR1ggoqLnV0YWguZWR1MHYGCCsGAQUFBwEBBGowaDAkBggrBgEFBQcw > AYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEAGCCsGAQUFBzAChjRodHRwOi8v > d3d3LmRpZ2ljZXJ0LmNvbS9DQUNlcnRzL0RpZ2lDZXJ0R2xvYmFsQ0EuY3J0MA4G > A1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMH8GA1UdHwR4MHYwOaA3oDWGM2h0 > dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbENBLTIwMDlkLmNy > bDA5oDegNYYzaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFs > Q0EtMjAwOWQuY3JsMIIBxgYDVR0gBIIBvTCCAbkwggG1BgtghkgBhv1sAQMAATCC > AaQwOgYIKwYBBQUHAgEWLmh0dHA6Ly93d3cuZGlnaWNlcnQuY29tL3NzbC1jcHMt > cmVwb3NpdG9yeS5odG0wggFkBggrBgEFBQcCAjCCAVYeggFSAEEAbgB5ACAAdQBz > AGUAIABvAGYAIAB0AGgAaQBzACAAQwBlAHIAdABpAGYAaQBjAGEAdABlACAAYwBv > AG4AcwB0AGkAdAB1AHQAZQBzACAAYQBjAGMAZQBwAHQAYQBuAGMAZQAgAG8AZgAg > AHQAaABlACAARABpAGcAaQBDAGUAcgB0ACAAQwBQAC8AQwBQAFMAIABhAG4AZAAg > AHQAaABlACAAUgBlAGwAeQBpAG4AZwAgAFAAYQByAHQAeQAgAEEAZwByAGUAZQBt > AGUAbgB0ACAAdwBoAGkAYwBoACAAbABpAG0AaQB0ACAAbABpAGEAYgBpAGwAaQB0 > AHkAIABhAG4AZAAgAGEAcgBlACAAaQBuAGMAbwByAHAAbwByAGEAdABlAGQAIABo > AGUAcgBlAGkAbgAgAGIAeQAgAHIAZQBmAGUAcgBlAG4AYwBlAC4wHQYDVR0lBBYw > FAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4IBAQCNaLCCXrnZ > /Vu7FndfY3hLyKXaM4t7PtEJ5jTP2TGSmP22GfEhFhkd4K+aZNuUGzowOWoeMeej > Ky8WZYCJMqY6uEg7ctRL8X2TrKsYdNfmtVC2JbDjnMQmg2NaGYuuYA0o2o4I/sHf > venO3js1ndbvrAU5uUnOWAu7wwGgINDpLAfuRYTkv6ShmPkdg0tF02/DGF3O+HSC > TuFIwWvjgZg9G1kO5JMQY+MnWC5HVg/9Rbs0512pya7XipfQfkV7kNodAXKcw0ds > edI84fQPeLlFqKD7UfrN+KSF8ayFh7T77okz+XSFKz7GpxsPY6Vue524bEkIKNm5 > /iZ49nsHBAww > -----END CERTIFICATE----- > subject=/C=US/ST=Utah/L=Salt Lake City/O=The University of Utah/OU=Office > ormation Technology/CN=*.utah.edu > issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global CA > --- > No client certificate CA names sent > --- > SSL handshake has read 3642 bytes and written 408 bytes > --- > New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA > Server public key is 2048 bit > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1 > Cipher : DHE-RSA-AES256-SHA > Session-ID: 8CFE7193B8EBAF1013713A905659FF8F69629007483979B613ADBDC4DF > > Session-ID-ctx: > Master-Key: 73EF831DDA972CA70A1F6CE8FFAA6BADAC72C9E7B63F382164E8046307 > 7CF60CDA2E0FBCAD0506228DDD3D4537 > Key-Arg : None > PSK identity: None > PSK identity hint: None > Start Time: 1281466250 > Timeout : 300 (sec) > Verify return code: 20 (unable to get local issuer certificate) > --- > closed > > -- Matthew J. Smith <[email protected]> University Information Technology Services -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
