Srikar- Can you try two things? First, can you set "CASDebug on", just to make sure we get any and all relevant error messages?
Second, try setting "CASValidateServer off" . This will prevent mod_auth_cas from trying to validate the CAS server's certificate. This will just help us eliminate potential problems. If that succeeds, turn it back on and we'll continue troubleshooting the SSL validation. One more thing -- could you tell us about your platform?: Apache version Operating System version OpenSSL version Visual Studio version HTH, -Matt On Thu, 2008-01-10 at 11:57 -0500, Srikar Kummamuri wrote: > Here is what I did with no success. > > > > Went on to CAS Server machine, taken (copied) the server.crt file that > was generated for the CAS Server mehine using keytool to the client > machine. > > > > Came back to the client machine. Openend the OpenSSL prompt. > > > > OpenSSL> x509 -noout -text -in C:\ssl\cas_sslcrt\server.crt -inform > der > > Certificate: > > Data: > > Version: 1 (0x0) > > Serial Number: 1193950368 (0x472a3ca0) > > Signature Algorithm: md5WithRSAEncryption > > Issuer: C=US, ST=VA, L=Alx, O=Agentrics, OU=Development, > CN=alx-dev-wrk04.wwre.org > > Validity > > Not Before: Nov 1 20:52:48 2007 GMT > > Not After : Jan 30 20:52:48 2008 GMT > > Subject: C=US, ST=VA, L=Alx, O=Agentrics, OU=Development, > CN=alx-dev-wrk04.wwre.org > > Subject Public Key Info: > > Public Key Algorithm: rsaEncryption > > RSA Public Key: (1024 bit) > > Modulus (1024 bit): > > 00:93:94:15:eb:da:b2:82:4e:9e:7b:06:0d:3a:eb: > > a9:a8:84:87:72:f5:f1:de:bc:5b:b9:f6:db:a6:ea: > > ef:45:33:e0:87:bd:29:30:17:56:6e:72:be:8c:b5: > > b1:47:d6:e1:4c:d4:5f:02:39:4b:81:4e:a1:75:41: > > 2c:34:8e:87:97:e8:55:96:8a:b5:ec:e1:7f:66:4b: > > 28:61:7c:84:ca:28:f7:9f:f0:2a:91:49:62:12:13: > > fa:44:2d:de:23:7f:3f:fb:61:f7:6e:29:5c:38:cc: > > f5:6a:63:ce:1d:80:0d:64:b5:29:31:f2:7d:83:42: > > 1c:af:28:ea:e4:9c:e4:4b:25 > > Exponent: 65537 (0x10001) > > Signature Algorithm: md5WithRSAEncryption > > 5c:e5:64:8f:ea:d8:ff:eb:3d:ae:1d:57:ce:13:fe:1c:a6:4a: > > 11:6f:b6:21:41:2b:bf:ba:8a:2d:ce:f8:d5:23:1b:09:1b:09: > > 3d:cf:97:fb:de:10:12:9a:60:8b:d3:ff:c1:3a:7f:c6:a7:26: > > 8a:35:cf:30:d6:70:ae:f7:7d:e0:a8:aa:c2:56:02:d2:61:f5: > > 72:2b:36:fe:63:6e:9b:73:f5:f7:4d:4b:f8:8d:ed:91:fb:00: > > 2e:fa:d5:d5:a4:11:6a:c8:77:17:32:7b:0f:ef:2d:92:c5:a2: > > fb:25:13:6a:b2:18:c6:e6:c0:bb:54:a1:c6:31:aa:d5:21:a5: > > 1a:7a > > OpenSSL> > > > > The above shows the correct information of the cas server” > alx-dev-wrk04.wwre.org” > > > > Now I converted it to PEM format. > > OpenSSL> x509 -out exported-pem.crt -outform pem -in C:\ssl\cas_sslcrt > \server.crt -inform der > > > > I changed the httpd.conf > > CASCertificatePath C:/ssl/cas_sslcrt/exported-pem.crt > > > > Now the error.log is not compligning saying that it can not load the > crt file but still HandShake is failing. > > [Thu Jan 10 11:49:56 2008] [error] [client 10.6.2.145] MOD_AUTH_CAS: > Could not perform SSL handshake with alx-dev-wrk04.wwre.org (check > CASCertificatePath) > > > > > > …Srikar > > > > > > > > > > > ______________________________________________________________________ > From: Srikar Kummamuri > Sent: Thursday, January 10, 2008 10:41 AM > To: '[email protected]' > Subject: RE: mod_auth_cas-1.0.6 released > > > > > Scott, > > I tried to place the exact file in the path of CASCertificatePath. Now > I gaeve the crt file directly in the path. > > > > CASCookiePath C:/ssl/ > > CASCertificatePath C:/ssl/cas_sslcrt/server.crt > > CASValidateServer on > > > > And the error is, > > > > [Thu Jan 10 10:37:05 2008] [error] [client 10.6.2.145] MOD_AUTH_CAS: > Could not load CA certificate file: C:/ssl/cas_sslcrt/server.crt > > [Thu Jan 10 10:37:05 2008] [error] [client 10.6.2.145] MOD_AUTH_CAS: > Could not create an SSL connection to alx-dev-wrk04.wwre.org > > > > > > ..Srikar > > > ______________________________________________________________________ > From: Srikar Kummamuri > Sent: Thursday, January 10, 2008 10:05 AM > To: '[email protected]' > Subject: RE: mod_auth_cas-1.0.6 released > > > > > Matt, > > I change the httpd.conf and problem still continues. Let me tell you > what I did exactly. On the Apache (Mod_auth_cas) machine, I generated > a CRT file with the keytool (given the CAS Server name in the first , > last names argument of Keytool) same way that I did on the cas > server. Now as you noted, I modified the httpd.conf file in both way > with relative path and absolute path. > > > > CASCertificatePath C:\ssl\cas_sslcrt (In this directory crt file > and .keystore were there) > > > > But the problem continues. My doubt is, Is this method (Generating the > crt file with Keytool) is good for the apacge (Mod_auth_Cas) ???? Or > do I need to look into certificate generation methods of OpenSsl?? > > > > Any documents/links/help?? > > > > Thanks a lot. > > Srikar. > > > > > > > ______________________________________________________________________ > From: Srikar Kummamuri > Sent: Wednesday, January 09, 2008 5:32 PM > To: '[email protected]' > Subject: RE: mod_auth_cas-1.0.6 released > > > > > When the request comes back to Apache from the CAS server with the > ticket (using mod_auth_cas), apache is throwing error. > > > > “Could not perform SSL handshake with alx-dev-wrk04.wwre.org (check > CASCertificatePath)” > > > > In my config, httpd.conf calls the ssl.conf and the ssl.conf has the > following line. > > > > SSLCertificateFile conf/sslcrt/server.crt > > > > Now the serer.crt is the file generated for the CAS Server by the key > tool (with the cas server machine name). > > > > What am I doing wrong here? Do I need to import this crt into > something else? Or can same body give me the clue to get this > certificate into JVM on the apache server having mod_auth_cas? I > resolved the same issue on a tomcat server running the CAS client but > on this Apache (MOD_AUTH_CAS) I am not getting the idea of where to > configure the self signed certificate. > > > > Thanks a lot > > Srikar. > > > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas -- Matt Smith [EMAIL PROTECTED] University Information Technology Services (UITS) University of Connecticut PGP Key ID: 0xE9C5244E
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
