Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

errors on currently configured webauth machine

Dameon Wagner dameon.wagner at it.ox.ac.uk
Fri Dec 11 01:08:30 PST 2015


On Thu, Dec 10 2015 at 18:36:35 -0800, Adam Lewenberg scribbled
 in "Re: errors on currently configured webauth machine":
> 
> 
> On 12/10/2015 5:54 PM, Russ Allbery wrote:
> >Thomas Carlson <tec at stanford.edu> writes:
> >
> >>[Thu Dec 10 16:28:20 2015] [error] mod_webauth: curl_easy_perform:
> >>error(35): error:0D0890A1:asn1 encoding routines:ASN1_verify:unknown
> >>message digest algorithm
> >
> >mod_webauth is trying to get a webkdc-service token from the WebKDC, and
> >that attempt is failing because your local SSL library doesn't like the
> >message digest algorithm being used by the WebKDC server certificate.
> >
> >Why, I don't know.  I suspect either your SSL implementation is too old or
> >the WebKDC certificate is too old.  If the weblogin.stanford.edu
> >certificate was recently changed, that would be the first thing I'd look
> >at: what message digest algorithm was it using before, and what it is it
> >using now, and what OpenSSL is your mod_webauth installation using?
> >
> 
> The weblogin.stanford.edu certificate was changed this morning (to
> one using SHA-2).

We recently renewed our webkdc certificate to one using SHA256, and
came across, thankfully only, one system reported to not work.  The
logs were similar to those posted by the OP, and it turned out that
his RHEL 4.x system just couldn't handle SHA256 hashes.

After half a day searching for updated RPMs for apache and openssl the
user decided it was simpler to seize the opportunity to upgrade the
whole system as it was about time anyway.

Cheers.

Dameon.

-- 
><> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <><
Dameon Wagner, Systems Development and Support Team
IT Services, University of Oxford
><> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <><



More information about the webauth-info mailing list