Uploaded image for project: 'XMLTooling - C++'
  1. XMLTooling - C++
  2. CPPXT-9

Fedora 8 et seq, probably RHEL6, have libcurl linked against NSS, not OpenSSL resulting in SP problems

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.0
    • Fix Version/s: 1.4
    • Component/s: SOAP
    • Labels:
      None
    • Environment:
      Fedora 8 for sure, almost certainly Fedora 9, probably RHEL 6 and CentOS 6 when they release.
    • Operating System:
      Linux
    • CPU Type:
      Multiple
    • C/C++ Compiler:
      Multiple

      Description

      This results in two problems. The first is that the cipher selection string isn't recognised, resulting in an error message at the SP and rather funky cipher selection.

      The second and more serious issue is that the SP won't present TLS credentials on any back-channel connection. This will result in the IdP treating the SP as unauthenticated and potentially denying it the attributes it needs.

      Scott's comment was that one solution would be to ship with a custom libcurl package which was linked against openssl instead of NSS, and link the Shibboleth packages against that instead of the standard libcurl. The other alternative would be to handle the curl-over-NSS possibility explicitly, but that would probably be more work even if it was possible to do that and retain full functionality.

        Attachments

          Activity

            People

            • Assignee:
              cantor.2@osu.edu Scott Cantor
              Reporter:
              ian@iay.org.uk Ian Young
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: