Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

webkdc unrecoverable_error

Russ Allbery eagle at windlord.stanford.edu
Thu Dec 22 10:12:48 PST 2011


Bram Cymet <bcymet at cbnco.com> writes:

> After upgrading a few more packages I have started to get a meaningful
> error message:

>  LWP::Protocol::https::Socket: SSL connect attempt failed with unknown
> errorerror:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> verify failed at /usr/lib/perl5/site_perl/5.10.0/LWP/Protocol/http.pm
> line 51.

> It turns out LWP v6.00 started doing proper certificate validation.
> Which is great however they are very strict and do not allow self signed
> CA certs:

Oh!  This.  This is fixed in later versions of WebAuth.  The patch that
you want is:

--- a/weblogin/login.fcgi
+++ b/weblogin/login.fcgi
@@ -43,6 +43,14 @@ our %PAGES = (login    => 'login.tmpl',
               pwchange => 'pwchange.tmpl',
               error    => 'error.tmpl');
 
+# If the WebKDC is localhost, disable LWP certificate verification.  The
+# WebKDC will have a certificate matching its public name, which will never
+# match localhost, and we should be able to trust the server when connecting
+# directly to localhost.
+if ($WebKDC::Config::URL =~ m,^https://localhost/,) {
+    $ENV{PERL_LWP_SSL_VERIFY_HOSTNAME} = 0;
+}
+
 ##############################################################################
 # Debugging
 ##############################################################################

or in general just add that setting to the start of login.fcgi.  This was
fixed in 3.7.4.

-- 
Russ Allbery <eagle at windlord.stanford.edu>
Technical Lead, ITS Infrastructure Delivery Group, Stanford University


More information about the webauth-info mailing list