On 08/23/2010 01:20 PM, Bram Cymet wrote: > Hi, > > When I had my realm backended with kdb pkint worked with certificates > just fine. Now that I have setup my realm to have an ldap backend when > I try to kinit with certificates my kdc seg faults. > > Well it is actually openssl that crashes on a call to > X509_get_subject_name() the only reason I could really see this call > failing is if the data being passed to it not really an x509 cert? > > Any ideas why this could be happening? Do I have to have the client > cert in ldap? Could this be a configuration problem? > > Thanks, > I have found the location of the problem. It is a certificate chain verification problem. I know that my chain should validate however:
A call to X509_verify_cert() in plugins/preauth/pkinit/pkinit_crypto_openssl.c sets ctx->error to 0 which according to the OpenSSL source this should not happen: #define X509_V_OK 0 /* illegal error (for uninitialized values, to avoid X509_V_OK): 1 */ So in this case openssl_callback_ignore_crls() returns 0 and the kdc goes on to try and look at what should be a CRL but since I am not checking a CRL there is nothing there and it seg faults. Before I was using the LDAP backend I was using the same cert generation process and everything worked just fine so I am fairly sure my certs are ok. I am really not sure why me using the LDAP backend would have any effect on how the certificate chain is validated. I will continue to investigate this from an OpenSSL point of view but has anyone ever come across this before or have any idea what could be going on? Thanks, -- Bram Cymet Software Developer Canadian Bank Note Co. Ltd. Cell: 613-608-9752 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
