Hi, I posted a message about this last week but didn't hear anything back from anyone. As of OS X 10.5.3, Apple changed the way client certs are released. In the case that a [apache] server is configured with
SSLVerifyClient optional you must specify an option on your client cert in the keychain to allow that cert to be released to that particular requesting server. (in this case, our CAS server) The problem is you cannot specify wildcards in the option, and it considers URL parameters as part of the fixed URL. The end result is that CAS x509 auth breaks unless you were to explicitly specify every single possible entry point (i.e. every possible value of the 'service' parameter), which isn't pretty for larger deployments. Of course you can set SSLVerifyClient required, but this precludes anyone from doing any other form of authentication if they don't have a client cert since the SSL Handshake will fail and then, game over. It's a catch 22 either way. Has anyone else encountered this problem? If so, has anyone come up with any possible solutions? I appreciate any help or advice that could be provided.. Thanks.. ..Sean. _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
