Shibboleth Developers

[Scott Cantor <>]

I've reissued the shib1/shib2 server certs using the bossie CA, as well
as the Handle Service signing cert on shib2.

After much confusion, I think I'm finally starting to understand chains
a bit better, as far as the software is concerned. Turns out libcurl
(and thus the SHAR) does support chains when authenticating the AA, but
I didn't fully grasp the obvious fact that if the AA doesn't include the
whole chain when it responds to the SSL hello, then the verify will fail
if there are any gaps in the chain, which is often the case. Um, duh.

To add to my confusion, mod_ssl does some interesting "automated" chain
construction even if you don't tell it to, and so shib2 was sending a
chain without me knowing it was doing it, which took me a while to
figure out.

Anyway, with different kinds of tweaking to mod_ssl or the ShibCA bundle
file, I can validate chains between the AA and SHAR now. That should
make it pretty easy to deal with chains in the SHIRE as well, once that
code is in C.

I think all the demo stuff is still working, but if I broke anything,
let me know.

-- Scott

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at 

    http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--