[32592] in Kerberos
Re: PKINIT and LDAP
daemon@ATHENA.MIT.EDU (Bram Cymet)
Mon Aug 23 17:55:46 2010
Message-ID: <4C72EE58.4030501@cbnco.com>
Date: Mon, 23 Aug 2010 17:55:36 -0400
From: Bram Cymet <bcymet@cbnco.com>
MIME-Version: 1.0
To: kerberos@mit.edu
In-Reply-To: <4C72ADF5.1030103@cbnco.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 08/23/2010 01:20 PM, Bram Cymet wrote:
> Hi,
>
> When I had my realm backended with kdb pkint worked with certificates
> just fine. Now that I have setup my realm to have an ldap backend when
> I try to kinit with certificates my kdc seg faults.
>
> Well it is actually openssl that crashes on a call to
> X509_get_subject_name() the only reason I could really see this call
> failing is if the data being passed to it not really an x509 cert?
>
> Any ideas why this could be happening? Do I have to have the client
> cert in ldap? Could this be a configuration problem?
>
> Thanks,
>
I have found the location of the problem. It is a certificate chain
verification problem. I know that my chain should validate however:
A call to X509_verify_cert() in
plugins/preauth/pkinit/pkinit_crypto_openssl.c sets ctx->error to 0
which according to the OpenSSL source this should not happen:
#define X509_V_OK 0
/* illegal error (for uninitialized values, to avoid X509_V_OK): 1 */
So in this case openssl_callback_ignore_crls() returns 0 and the kdc
goes on to try and look at what should be a CRL but since I am not
checking a CRL there is nothing there and it seg faults. Before I was
using the LDAP backend I was using the same cert generation process and
everything worked just fine so I am fairly sure my certs are ok.
I am really not sure why me using the LDAP backend would have any effect
on how the certificate chain is validated. I will continue to
investigate this from an OpenSSL point of view but has anyone ever come
across this before or have any idea what could be going on?
Thanks,
--
Bram Cymet
Software Developer
Canadian Bank Note Co. Ltd.
Cell: 613-608-9752
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
