Shibboleth Developers

At 4:11 PM -0500 12/28/04, Scott Cantor wrote:
>  > I was thinking of suggesting that people type something like this to
> >  make sure that they've correctly configured the SSL support into
> >  apache:
> >
> >  curl -L --key "../shibboleth.key" --cert "../shibboleth.crt" --cacert
> >  "../shibboleth.crt" https://stc-linux.cis.brown.edu:8443/jsp-examples
>
> I don't think this will work if the certificate isn't self-signed. I would
> think you either need to have the actual CA in that file, or you'd need to
> use -k to just disable the check.
>
> If it works, I need to look at the code because I couldn't get my code to
> work that way without overriding more of openssl than libcurl does.

you're right -- when I tested this earlier today, the shib instance 
on this box was configured for a bilateral trust arrangement.

however, I'm presuming that if I pointed the --cacert parm at the 
ca-bundle file being used by mod_ssl, this should work?

> >  (Note: I'm not sure why the -L is needed, but this doesn't seem to
> >  work for me without it....)
>
> -L just says to follow redirects. It should work either way, but you're
> getting back an empty body with a Location header. I would use -I instead
> and just invoke a HEAD request. You could also pass the command to dump the
> server response headers, don't recall what it is. But that's shorter output.

thanks for the hints!