Shibboleth Developers

["RL 'Bob' Morgan" <>]

On Fri, 26 Jul 2002, Scott Cantor wrote:

> Turns out the server certs Thawte issues have the EnhancedKeyUsage field
> set to Server Authentication, which mod_ssl rejects for client
> authentication, preventing a site from sharing that SSL cert between
> mod_ssl on their site and the SHAR/mod_shib.
>
> I wonder if that behavior is configurable in mod_ssl. Changing that code
> would obviously not be attractive for numerous reasons.

We ran into this with pubcookie too, since we want to use SSL server certs
to do symmetric key establishment.  OpenSSL lets the programmer provide a
cert verification callback that can apparently override the results of the
built-in verification.  So Larry wrote one that ignores the key-usage
errors (see keyserver.c in the pubcookie src, or I can forward).
Obviously this would be a change to mod_ssl, hence unattractive.  I don't
see any mod_ssl knobs about this.  And adding a hack to do something
that's now explicitly prohibited by the RFC doesn't make for sleeping
comfortably.

 - RL "Bob"


------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--