shibboleth-dev - RE: client certificate chains and 1.3 IdP
Subject: Shibboleth Developers
List archive
- From: "Scott Cantor" <>
- To: "'Ian Young'" <>, <>
- Subject: RE: client certificate chains and 1.3 IdP
- Date: Tue, 5 Jul 2005 17:39:02 -0400
- Organization: The Ohio State University
> The situation is a 1.3 IdP talking to a 1.2.1 SP. The metadata is in
> the PKI style and contains a root CA only; from this comes a chain of
> intermediates before you get to the real certificates; the metadata
> doesn't include those. I am reasonably sure that the SP is pushing the
> intermediates to the IdP: I have logging turned up to the max, and I can
> see plausible things going by in the Apache logs implying that it sees a
> full certificate chain. Apache verifies the chain (this isn't
> conclusive, it may have access to some of the intermediate
> certificates).
Apache shouldn't be doing anything now. Just set optional_no_ca and apart
from some annoying path length checks, it doesn't do anything, just passes
what it got.
> The problem is that the IdP's internal verification of the same chain
> fails. Adding some logging to the IdP indicates that it sees only the
> end client certificate, not the rest of the chain. The intermediate
> certificates don't seem to be passed through to tomcat, in
> other words.
That would surprise me and suck. Sort of. Relying on the CA stuff for
anything harder than one level of issuance is probably asking for pain.
> Is anyone working with a combination like this (1.3 IdP, CA hierarchy,
> IdP knows about root only, SP pushes intermediates) and can report
> success? Or have any ideas as to what to blame?
I thought I tested this, but I'm probably out of 1.2 SPs to test. Maybe we
could have you test against Example State since bossie is a chain?
I can take bossie's intermediate out of the metadata there and we could try
it. If your SP doesn't send both or I don't get both, it won't validate....
-- Scott
- client certificate chains and 1.3 IdP, Ian Young, 07/05/2005
- RE: client certificate chains and 1.3 IdP, Scott Cantor, 07/05/2005
- RE: client certificate chains and 1.3 IdP, Scott Cantor, 07/05/2005
- RE: client certificate chains and 1.3 IdP, Scott Cantor, 07/05/2005
- RE: client certificate chains and 1.3 IdP, Scott Cantor, 07/06/2005
- RE: client certificate chains and 1.3 IdP, Scott Cantor, 07/06/2005
- Re: client certificate chains and 1.3 IdP, Ian Young, 07/06/2005
- Re: client certificate chains and 1.3 IdP, Walter Hoehn, 07/06/2005
- Re: client certificate chains and 1.3 IdP, Ian Young, 07/06/2005
- RE: client certificate chains and 1.3 IdP, Scott Cantor, 07/06/2005
- Re: client certificate chains and 1.3 IdP, Ian Young, 07/06/2005
- RE: client certificate chains and 1.3 IdP, Scott Cantor, 07/06/2005
- Re: client certificate chains and 1.3 IdP, Ian Young, 07/06/2005
- RE: client certificate chains and 1.3 IdP, Scott Cantor, 07/06/2005
- Re: client certificate chains and 1.3 IdP, Ian Young, 07/06/2005
- Re: client certificate chains and 1.3 IdP, Walter Hoehn, 07/06/2005
Archive powered by MHonArc 2.6.16.