Skip to Content.
Sympa Menu

shibboleth-dev - Re: "Unfortunate" Thawte discovery

Subject: Shibboleth Developers

List archive

Re: "Unfortunate" Thawte discovery


Chronological Thread 
  • From: "RL 'Bob' Morgan" <>
  • To: Scott Cantor <>
  • Cc: Shibboleth Design Team <>
  • Subject: Re: "Unfortunate" Thawte discovery
  • Date: Fri, 26 Jul 2002 15:38:54 -0700 (PDT)


On Fri, 26 Jul 2002, Scott Cantor wrote:

> Turns out the server certs Thawte issues have the EnhancedKeyUsage field
> set to Server Authentication, which mod_ssl rejects for client
> authentication, preventing a site from sharing that SSL cert between
> mod_ssl on their site and the SHAR/mod_shib.
>
> I wonder if that behavior is configurable in mod_ssl. Changing that code
> would obviously not be attractive for numerous reasons.

We ran into this with pubcookie too, since we want to use SSL server certs
to do symmetric key establishment. OpenSSL lets the programmer provide a
cert verification callback that can apparently override the results of the
built-in verification. So Larry wrote one that ignores the key-usage
errors (see keyserver.c in the pubcookie src, or I can forward).
Obviously this would be a change to mod_ssl, hence unattractive. I don't
see any mod_ssl knobs about this. And adding a hack to do something
that's now explicitly prohibited by the RFC doesn't make for sleeping
comfortably.

- RL "Bob"


------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at

http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--




Archive powered by MHonArc 2.6.16.

Top of Page