mod_auth_cas - certificate path configuration and failed connection

673 views
Skip to first unread message

Alan S

unread,
Dec 5, 2019, 10:20:38 AM12/5/19
to CAS Community
I'm trying to connect to a CAS 5.3.3 server using the `apereo/mod_auth_cas` master branch. Following sign-in, the browser reports 'Secure Connection Failed' (ERR_EMPTY_RESPONSE) and the Apache ticket cache is empty. Does the configuration below suggest a problem with the CAS certificate path?

Thanks for taking a look.
-Alan


LoadModule auth_cas_module /usr/lib/apache2/modules/mod_auth_cas.so
CASCertificatePath /etc/ssl/cert/CAS_SERVER_x509chain.pem

CASCookiePath /var/cache/apache2/mod_auth_cas/
CASLoginURL https://CAS_SERVER/cas/login
CASValidateURL https://CAS_SERVER/cas/samlValidate
CASValidateSAML On
CASAttributePrefix SAML-
CASDebug On

<LocationMatch ^/auth/>
    AuthType CAS
    AuthName "Authentication Required"
    CASAuthNHeader CAS-User
    Require valid-user
</LocationMatch>


[auth_cas:debug] [pid 20375] mod_auth_cas.c(2675):
    entering check_vhost_config()

[auth_cas:debug] [pid 20376] mod_auth_cas.c(2675):
    entering check_vhost_config()

[core:debug] [pid 20378] protocol.c(2316):
    [client CLIENT_IP:49262]
    AH03155: select protocol from , choices=h2,http/1.1 for server APP_HOST

[core:debug] [pid 20379] protocol.c(2316):
    [client CLIENT_IP:49264]
    AH03155: select protocol from , choices=h2,http/1.1 for server APP_HOST

[authz_core:debug] [pid 20379] mod_authz_core.c(820):
    [client CLIENT_IP:49264]
   AH01626: authorization result of Require valid-user : denied (no authenticated user yet)

[authz_core:debug] [pid 20379] mod_authz_core.c(820):
    [client CLIENT_IP:49264]
   AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)

[auth_cas:debug] [pid 20379] mod_auth_cas.c(2159):
    [client CLIENT_IP:49264]
    Entering cas_authenticate()

[auth_cas:debug] [pid 20379] mod_auth_cas.c(610):
    [client CLIENT_IP:49264]
    CAS Service 'https%3a%2f%2fAPP_HOST%2fauth%2f'

[auth_cas:debug] [pid 20379] mod_auth_cas.c(558):
    [client CLIENT_IP:49264]
    entering getCASLoginURL()

[auth_cas:debug] [pid 20379] mod_auth_cas.c(535):
    [client CLIENT_IP:49264]
    entering getCASGateway()

[auth_cas:debug] [pid 20379] mod_auth_cas.c(625):
    [client CLIENT_IP:49264]
    entering redirectRequest()

[auth_cas:debug] [pid 20379] mod_auth_cas.c(637):
    [client CLIENT_IP:49264]

[authz_core:debug] [pid 20378] mod_authz_core.c(820):
    [client CLIENT_IP:49262]
    AH01626: authorization result of Require valid-user : denied (no authenticated user yet),

[authz_core:debug] [pid 20378] mod_authz_core.c(820):
    [client CLIENT_IP:49262]
   AH01626: authorization result of <RequireAny>: denied (no authenticated user yet),

[auth_cas:debug] [pid 20378] mod_auth_cas.c(2159):
    [client CLIENT_IP:49262]
    Entering cas_authenticate(),

[auth_cas:debug] [pid 20378] mod_auth_cas.c(682):
    [client CLIENT_IP:49262]
    Modified r->args (now ''),

[auth_cas:debug] [pid 20378] mod_auth_cas.c(1832):
    [client CLIENT_IP:49262]
    entering getResponseFromServer(),

[auth_cas:debug] [pid 20378] mod_auth_cas.c(1895):
    [client CLIENT_IP:49262]
    samlPayload = <?xml version="1.0" encoding="utf-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header/><SOAP-ENV:Body><samlp:Request xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"  MajorVersion="1" MinorVersion="1" RequestID="6cef759bedefebb9b13afbae6f18f368"><samlp:AssertionArtifact>ST-53-zxrvP6m7ACd--xeOLhHqVxQ-7MISFACAS3</samlp:AssertionArtifact></samlp:Request></SOAP-ENV:Body></SOAP-ENV:Envelope>,

[auth_cas:debug] [pid 20378] mod_auth_cas.c(610):
    [client CLIENT_IP:49262]
    CAS Service 'https%3a%2f%2fAPP_HOST%2fauth%2f',

[core:debug] [pid 20380] protocol.c(2316):
    [client CLIENT_IP:49280]
   AH03155: select protocol from , choices=h2,http/1.1 for server APP_HOST

[authz_core:debug] [pid 20380] mod_authz_core.c(820):
    [client CLIENT_IP:49280]
   AH01626: authorization result of Require valid-user : denied (no authenticated user yet),

[authz_core:debug] [pid 20380] mod_authz_core.c(820):
    [client CLIENT_IP:49280]
   AH01626: authorization result of <RequireAny>: denied (no authenticated user yet),

[auth_cas:debug] [pid 20380] mod_auth_cas.c(2159):
    [client CLIENT_IP:49280]
    Entering cas_authenticate(),

[auth_cas:debug] [pid 20380] mod_auth_cas.c(682):
    [client CLIENT_IP:49280]
    Modified r->args (now ''),

[auth_cas:debug] [pid 20380] mod_auth_cas.c(1832):
    [client CLIENT_IP:49280]
    entering getResponseFromServer(),

[auth_cas:debug] [pid 20380] mod_auth_cas.c(1895):
    [client CLIENT_IP:49280]
    samlPayload = <?xml version="1.0" encoding="utf-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header/><SOAP-ENV:Body><samlp:Request xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"  MajorVersion="1" MinorVersion="1" RequestID="bd2e248cbb8aec0e1a8188502988c82e"><samlp:AssertionArtifact>ST-53-zxrvP6m7ACd--xeOLhHqVxQ-7MISFACAS3</samlp:AssertionArtifact></samlp:Request></SOAP-ENV:Body></SOAP-ENV:Envelope>,

[auth_cas:debug] [pid 20380] mod_auth_cas.c(610):
    [client CLIENT_IP:49280]
    CAS Service 'https%3a%2f%2fAPP_HOST%2fauth%2f',
   
[core:debug] [pid 20384] protocol.c(2316):
    [client APP_HOST_IP:57578]
   AH03155: select protocol from , choices=http/1.1 for server APP_HOST

[authz_core:debug] [pid 20384] mod_authz_core.c(820):
    [client APP_HOST_IP:57578]
   AH01626: authorization result of Require all granted: granted

[authz_core:debug] [pid 20384] mod_authz_core.c(820):
    [client APP_HOST_IP:57578]
   AH01626: authorization result of <RequireAny>: granted


Alan S

unread,
Dec 12, 2019, 6:09:18 PM12/12/19
to CAS Community
Still wrestling with this, I'm now specifying just the serviceValidate endpoint to remove any possible problems with SAML attribute delivery. My Apache configuration now looks like this:

LoadModule auth_cas_module /usr/lib/apache2/modules/mod_auth_cas.so

CASCookiePath /var/cache/apache2/mod_auth_cas/
CASLoginURL https://CAS_SERVER/cas/login
CASValidateURL https://CAS_SERVER/cas/serviceValidate

CASDebug On

<LocationMatch ^/auth/>
    AuthType
CAS
    AuthName "Autentication required"

    CASAuthNHeader CAS-User
    Require valid-user
</LocationMatch>

My logs never show a response validation:

[Thu Dec 12 16:54:20.821632 2019] [auth_cas:debug] [pid 20232] mod_auth_cas.c(2675): entering check_vhost_config()
[Thu Dec 12 16:54:20.904208 2019] [auth_cas:debug] [pid 20233] mod_auth_cas.c(2675): entering check_vhost_config()
[Thu Dec 12 16:54:29.432630 2019] [auth_cas:debug] [pid 20238] mod_auth_cas.c(2159): [client CLIENT_IP:44734] Entering cas_authenticate()
[Thu Dec 12 16:54:29.432643 2019] [auth_cas:debug] [pid 20238] mod_auth_cas.c(610): [client CLIENT_IP:44734] CAS Service 'https%3a%2f%2fAPP_HOST%2fauth%2f'
[Thu Dec 12 16:54:29.432652 2019] [auth_cas:debug] [pid 20238] mod_auth_cas.c(558): [client CLIENT_IP:44734] entering getCASLoginURL()
[Thu Dec 12 16:54:29.432663 2019] [auth_cas:debug] [pid 20238] mod_auth_cas.c(535): [client CLIENT_IP:44734] entering getCASGateway()
[Thu Dec 12 16:54:29.432671 2019] [auth_cas:debug] [pid 20238] mod_auth_cas.c(625): [client CLIENT_IP:44734] entering redirectRequest()
[Thu Dec 12 16:54:29.432681 2019] [auth_cas:debug] [pid 20238] mod_auth_cas.c(637): [client CLIENT_IP:44734] Adding outgoing header: Location: https://CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_HOST%2fauth%2f
[Thu Dec 12 16:54:34.729642 2019] [auth_cas:debug] [pid 20235] mod_auth_cas.c(2159): [client CLIENT_IP:44736] Entering cas_authenticate(), referer: https://CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_HOST%2fauth%2f
[Thu Dec 12 16:54:34.729659 2019] [auth_cas:debug] [pid 20235] mod_auth_cas.c(682): [client CLIENT_IP:44736] Modified r->args (now ''), referer: https://CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_HOST%2fauth%2f
[Thu Dec 12 16:54:34.729749 2019] [auth_cas:debug] [pid 20235] mod_auth_cas.c(1832): [client CLIENT_IP:44736] entering getResponseFromServer(), referer: https://CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_HOST%2fauth%2f
[Thu Dec 12 16:54:34.729853 2019] [auth_cas:debug] [pid 20235] mod_auth_cas.c(610): [client CLIENT_IP:44736] CAS Service 'https%3a%2f%2fAPP_HOST%2fauth%2f', referer: https://CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_HOST%2fauth%2f
[Thu Dec 12 16:54:35.031085 2019] [auth_cas:debug] [pid 20236] mod_auth_cas.c(2159): [client CLIENT_IP:44754] Entering cas_authenticate(), referer: https://CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_HOST%2fauth%2f
[Thu Dec 12 16:54:35.031100 2019] [auth_cas:debug] [pid 20236] mod_auth_cas.c(682): [client CLIENT_IP:44754] Modified r->args (now ''), referer: https://CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_HOST%2fauth%2f
[Thu Dec 12 16:54:35.031149 2019] [auth_cas:debug] [pid 20236] mod_auth_cas.c(1832): [client CLIENT_IP:44754] entering getResponseFromServer(), referer: https://CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_HOST%2fauth%2f
[Thu Dec 12 16:54:35.031241 2019] [auth_cas:debug] [pid 20236] mod_auth_cas.c(610): [client CLIENT_IP:44754] CAS Service 'https%3a%2f%2fAPP_HOST%2fauth%2f', referer: https://CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_HOST%2fauth%2f

Any idea what could be causing this "Secure Connection Failed" issue on a 5.3 server connection? (I've tried connecting on the latest mod_auth_cas master and v1.2 tag.)

Thanks!
-Alan

David Hawes

unread,
Dec 12, 2019, 11:06:26 PM12/12/19
to CAS Community
I'd expect to see a CURL error or the validation response printed out.

Are there any logs on your CAS server that show the service validation
from mod_auth_cas? Can you ensure that you can "curl
https://CAS_SERVER/cas/serviceValidate" from the host running Apache
and mod_auth_cas?

Alan S

unread,
Dec 13, 2019, 10:57:16 AM12/13/19
to CAS Community
Thank you, David. If I include the service and ticket, with the cert chain specified, this is the response. Note that I used the ticket from the browser login attempt to test this--do I need to initiate the login request via curl? I also would think a validation error would show up in my logs, but, after the 'CAS Service' line, it simply stops generating auth_cas logs. I'll contact our CAS server team to request server logs from these connections.

-Alan

curl -v --cacert /etc/ssl/InCommon/chain.crt https://CAS_SERVER/cas/serviceValidate?service=https%3a%2f%2fAPP_HOST%2fauth%2f'&'ticket=ST-2-Tx60JTe9ZiSCDUEphxs6upVgrfgSFACAS3


*   Trying CAS_SERVER_IP...
* Connected to CAS_SERVER (CAS_SERVER_IP) port 443 (#0)
* found 3 certificates in /etc/ssl/InCommon/chain.crt
* found 582 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
''' SNIP! '''
* ALPN, server did not agree to a protocol
> GET /cas/serviceValidate?service=https%3a%2f%2fAPP_HOST%2fauth%2f&ticket=ST-2-Tx60JTe9ZiSCDUEphxs6upVgrfgSFACAS3 HTTP/1.1
> Host: CAS_SERVER
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 200
< Cache-Control: no-store
< Pragma:
< Expires:
< Strict-Transport-Security: max-age=15768000 ; includeSubDomains
< X-Content-Type-Options: nosniff
< X-Frame-Options: DENY
< X-XSS-Protection: 1; mode=block
< Content-Type: text/html;charset=UTF-8
< Content-Language: en-US
< Transfer-Encoding: chunked
< Vary: Accept-Encoding
< Date: Fri, 13 Dec 2019 15:40:32 GMT
<
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
    <cas:authenticationFailure code="INVALID_TICKET">Ticket &#39;ST-2-Tx60JTe9ZiSCDUEphxs6upVgrfgSFACAS3&#39; not recognized</cas:authenticationFailure>
</cas:serviceResponse>
* Connection #0 to host CAS_SERVER left intact


Ray Bon

unread,
Dec 13, 2019, 12:17:01 PM12/13/19
to cas-...@apereo.org
Alan,

By default it only lasts 10 seconds, which may not be enough time for you to copy and paste.

Ray
--
Ray Bon
Programmer Analyst
Development Services, University Systems

I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.

Alan S

unread,
Dec 13, 2019, 1:05:48 PM12/13/19
to CAS Community
Ray--I requested an update to the ticket TTL and will report back with the results. Thanks!

-Alan

Alan S

unread,
Dec 13, 2019, 2:58:17 PM12/13/19
to CAS Community
Okay, via curl, this looks good (see the response below), and I'm getting the authenticated username returned. So, this is a good step forward in troubleshooting. Do you have advice for debugging the Apache module? I'm not sure what would cause it to be so "quiet."

-Alan

Enter service ticket ID: ST-3-AVml3Z3uyCXQCJ8-xpO9C4OV5sQSFACAS3
*   Trying CAS_SERVER_IP...
* Connected to CAS_SERVER (CAS_SERVER_IP) port 443 (#0)
* found 3 certificates in /etc/ssl/InCommon/chain.crt
* found 582 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
*      server certificate verification OK
*      server certificate status verification SKIPPED
*      common name: CAS_SERVER (matched)
*      server certificate expiration date OK
*      server certificate activation date OK
*      certificate public key: RSA
*      certificate version: #3
*      subject: CERT_INFO
*      start date: Wed, 09 Oct 2019 00:00:00 GMT
*      expire date: Thu, 08 Oct 2020 23:59:59 GMT
*      issuer: C=US,ST=MI,L=Ann Arbor,O=Internet2,OU=InCommon,CN=InCommon RSA Server CA
*      compression: NULL
* ALPN, server did not agree to a protocol
> GET /cas/serviceValidate?service=https%3a%2f%2fAPP_SERVER%2fauth%2f&ticket=ST-3-AVml3Z3uyCXQCJ8-xpO9C4OV5sQSFACAS3 HTTP/1.1

> Host: CAS_SERVER
> User-Agent: curl/7.47.0
> Accept: *
/*

>
< HTTP/1.1 200
< Cache-Control: no-store
< Pragma:
< Expires:
< Strict-Transport-Security: max-age=15768000 ; includeSubDomains
< X-Content-Type-Options: nosniff
< X-Frame-Options: DENY
< X-XSS-Protection: 1; mode=block
< Content-Type: application/xml;charset=UTF-8

< Content-Language: en-US
< Transfer-Encoding: chunked
< Vary: Accept-Encoding
< Date: Fri, 13 Dec 2019 19:42:02 GMT

<
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
    <cas:authenticationSuccess>
        <cas:user>MY_USER_NAME</cas:user>
        </cas:authenticationSuccess>

</cas:serviceResponse>
* Connection #0 to host CAS_SERVER left intact

Alan S

unread,
Dec 13, 2019, 3:49:58 PM12/13/19
to CAS Community
I also want to mention that, using curl POST, I'm getting attributes returned via the samlValidate endpoint.

-Alan

David Hawes

unread,
Dec 13, 2019, 4:18:28 PM12/13/19
to CAS Community
On Fri, 13 Dec 2019 at 14:58, Alan S <sco...@sfasu.edu> wrote:
>
> Okay, via curl, this looks good (see the response below), and I'm getting the authenticated username returned. So, this is a good step forward in troubleshooting. Do you have advice for debugging the Apache module? I'm not sure what would cause it to be so "quiet."

I agree, that looks good. It's with the same curl that mod_auth_cas
was compiled against, right?

As far as debugging, could you add some log messages like the following:

ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "made it here!");

to getResponseFromServer()? I'd start at around lines 1904, 1906, and
1912 of git master.

Alan S

unread,
Dec 13, 2019, 5:30:41 PM12/13/19
to CAS Community
I'll rebuild with the log output lines as you suggested and post how it goes.

It looks like the curl version matches:

$ /usr/bin/curl-config --version
libcurl 7.47.0

$ /usr/bin/curl --version
curl 7.47.0 (x86_64-pc-linux-gnu) libcurl/7.47.0 GnuTLS/3.4.10 zlib/1.2.8 libidn/1.32 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP UnixSockets


...and my mod_auth_cas configuration log:

config.log (line 1296)
libcurl_cv_lib_curl_version=7.47.0

Thank you!
-Alan

Alan S

unread,
Dec 13, 2019, 5:53:16 PM12/13/19
to CAS Community
Here's the Apache log with the additional log reporting lines. It makes it to lines 1904 and 1906, but then seems to fail on `curl_easy_perform`.

[Fri Dec 13 16:43:48.345565 2019] [auth_cas:debug] [pid 9977] mod_auth_cas.c(1832): [client CLIENT_IP:35632] entering getResponseFromServer(), referer: https://CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_SERVER%2fauth%2f
[Fri Dec 13 16:43:48.345651 2019] [auth_cas:debug] [pid 9977] mod_auth_cas.c(1895): [client CLIENT_IP:35632] samlPayload = <?xml version="1.0" encoding="utf-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header/><SOAP-ENV:Body><samlp:Request xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"  MajorVersion="1" MinorVersion="1" RequestID="d9b827223ed99d990cc8ebdf7e9baeca"><samlp:AssertionArtifact>ST-9-OQvPfKXueVO-Tz5dQWATBIktFG4SFACAS3</samlp:AssertionArtifact></samlp:Request></SOAP-ENV:Body></SOAP-ENV:Envelope>, referer: https://CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_SERVER%2fauth%2f
[Fri Dec 13 16:43:48.345666 2019] [auth_cas:debug] [pid 9977] mod_auth_cas.c(610): [client CLIENT_IP:35632] CAS Service 'https%3a%2f%2fAPP_SERVER%2fauth%2f', referer: https://CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_SERVER%2fauth%2f
[Fri Dec 13 16:43:48.345673 2019] [auth_cas:debug] [pid 9977] mod_auth_cas.c(1904): [client CLIENT_IP:35632] ****** point 1, referer: https://CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_SERVER%2fauth%2f
[Fri Dec 13 16:43:48.345688 2019] [auth_cas:debug] [pid 9977] mod_auth_cas.c(1906): [client CLIENT_IP:35632] ****** point 2, referer: https://CAS_SERVER/cas/login?service=https%3a%2f%2fAPP_SERVER%2fauth%2f
[Fri Dec 13 16:44:20.816146 2019] [ssl:info] [pid 9978] [client APP_SERVER_IP:38236] AH01964: Connection to child 2 established (server APP_SERVER:443)
[Fri Dec 13 16:44:20.816483 2019] [ssl:debug] [pid 9978] ssl_engine_kernel.c(2388): [client APP_SERVER_IP:38236] AH02645: Server name not provided via TLS extension (using default/first virtual host)
[Fri Dec 13 16:44:20.816503 2019] [ssl:debug] [pid 9978] ssl_engine_kernel.c(2388): [client APP_SERVER_IP:38236] AH02645: Server name not provided via TLS extension (using default/first virtual host)
[Fri Dec 13 16:44:20.816514 2019] [core:debug] [pid 9978] protocol.c(2316): [client APP_SERVER_IP:38236] AH03155: select protocol from , choices=http/1.1 for server APP_SERVER
[Fri Dec 13 16:44:20.821920 2019] [ssl:debug] [pid 9978] ssl_engine_kernel.c(2236): [client APP_SERVER_IP:38236] AH02041: Protocol: TLSv1.3, Cipher: TLS_AES_256_GCM_SHA384 (256/256 bits)
[Fri Dec 13 16:44:20.821994 2019] [socache_shmcb:debug] [pid 9978] mod_socache_shmcb.c(495): AH00831: socache_shmcb_store (0xd2 -> subcache 18)
[Fri Dec 13 16:44:20.822009 2019] [socache_shmcb:debug] [pid 9978] mod_socache_shmcb.c(849): AH00847: insert happened at idx=0, data=(0:32)
[Fri Dec 13 16:44:20.822018 2019] [socache_shmcb:debug] [pid 9978] mod_socache_shmcb.c(854): AH00848: finished insert, subcache: idx_pos/idx_used=0/1, data_pos/data_used=0/201
[Fri Dec 13 16:44:20.822026 2019] [socache_shmcb:debug] [pid 9978] mod_socache_shmcb.c(516): AH00834: leaving socache_shmcb_store successfully
[Fri Dec 13 16:44:20.822167 2019] [socache_shmcb:debug] [pid 9978] mod_socache_shmcb.c(495): AH00831: socache_shmcb_store (0x8a -> subcache 10)
[Fri Dec 13 16:44:20.822185 2019] [socache_shmcb:debug] [pid 9978] mod_socache_shmcb.c(849): AH00847: insert happened at idx=1, data=(222:254)
[Fri Dec 13 16:44:20.822194 2019] [socache_shmcb:debug] [pid 9978] mod_socache_shmcb.c(854): AH00848: finished insert, subcache: idx_pos/idx_used=0/2, data_pos/data_used=0/423
[Fri Dec 13 16:44:20.822202 2019] [socache_shmcb:debug] [pid 9978] mod_socache_shmcb.c(516): AH00834: leaving socache_shmcb_store successfully
[Fri Dec 13 16:44:20.822360 2019] [ssl:debug] [pid 9978] ssl_engine_kernel.c(383): [client APP_SERVER_IP:38236] AH02034: Initial (No.1) HTTPS request received for child 2 (server APP_SERVER:443)
[Fri Dec 13 16:44:20.822461 2019] [authz_core:debug] [pid 9978] mod_authz_core.c(820): [client APP_SERVER_IP:38236] AH01626: authorization result of Require all granted: granted
[Fri Dec 13 16:44:20.822475 2019] [authz_core:debug] [pid 9978] mod_authz_core.c(820): [client APP_SERVER_IP:38236] AH01626: authorization result of <RequireAny>: granted
[Fri Dec 13 16:44:20.822587 2019] [authz_core:debug] [pid 9978] mod_authz_core.c(820): [client APP_SERVER_IP:38236] AH01626: authorization result of Require all granted: granted
[Fri Dec 13 16:44:20.822602 2019] [authz_core:debug] [pid 9978] mod_authz_core.c(820): [client APP_SERVER_IP:38236] AH01626: authorization result of <RequireAny>: granted
[Fri Dec 13 16:44:20.822688 2019] [authz_core:debug] [pid 9978] mod_authz_core.c(820): [client APP_SERVER_IP:38236] AH01626: authorization result of Require all granted: granted
[Fri Dec 13 16:44:20.822701 2019] [authz_core:debug] [pid 9978] mod_authz_core.c(820): [client APP_SERVER_IP:38236] AH01626: authorization result of <RequireAny>: granted
[Fri Dec 13 16:44:20.822927 2019] [authz_core:debug] [pid 9978] mod_authz_core.c(820): [client APP_SERVER_IP:38236] AH01626: authorization result of Require all granted: granted
[Fri Dec 13 16:44:20.822943 2019] [authz_core:debug] [pid 9978] mod_authz_core.c(820): [client APP_SERVER_IP:38236] AH01626: authorization result of <RequireAny>: granted
[Fri Dec 13 16:44:20.823016 2019] [authz_core:debug] [pid 9978] mod_authz_core.c(820): [client APP_SERVER_IP:38236] AH01626: authorization result of Require all granted: granted
[Fri Dec 13 16:44:20.823030 2019] [authz_core:debug] [pid 9978] mod_authz_core.c(820): [client APP_SERVER_IP:38236] AH01626: authorization result of <RequireAny>: granted
[Fri Dec 13 16:44:20.825002 2019] [ssl:debug] [pid 9978] ssl_engine_io.c(1106): [client APP_SERVER_IP:38236] AH02001: Connection closed to child 2 with standard shutdown (server APP_SERVER:443)


David Hawes

unread,
Dec 13, 2019, 6:28:22 PM12/13/19
to CAS Community
On Fri, 13 Dec 2019 at 17:30, Alan S <sco...@sfasu.edu> wrote:
>
> I'll rebuild with the log output lines as you suggested and post how it goes.
>
> It looks like the curl version matches:
>
> $ /usr/bin/curl-config --version
> libcurl 7.47.0
>
> $ /usr/bin/curl --version
> curl 7.47.0 (x86_64-pc-linux-gnu) libcurl/7.47.0 GnuTLS/3.4.10 zlib/1.2.8 libidn/1.32 librtmp/2.3

Is there any chance this is a curl install from packages and you can
install a curl that use OpenSSL?

This is mostly a shot in the dark, but may be worth trying if it's a
simple change for you.

Alan S

unread,
Dec 17, 2019, 10:43:34 AM12/17/19
to CAS Community
David, for a "shot in the dark," that was perfect aim, and all is working great now. I can't thank you and the community enough for the guidance.

For a saner, future me, I documented my procedures below. Any improvements or suggestions are welcome.

-Alan

openssl version
OpenSSL 1.1.1  11 Sep 2018 (Library: OpenSSL 1.1.1d  10 Sep 2019)

curl-config --version
libcurl 7.47.0


INSTALL CURL+SSL

Build curl from source with SSL support. I used curl v7.67.0 and installed it in `/opt/curl`.

sudo mkdir /opt/curl
sudo chown root:root /opt/curl

git clone https://github.com/curl/curl.git
cd curl
git checkout curl-7_67_0

autoreconf
./configure --prefix=/opt/curl --with-ssl
make
sudo make install

Verify the curl installation:

/opt/curl/bin/curl --version

curl 7.68.0-DEV (x86_64-pc-linux-gnu) libcurl/7.68.0-DEV OpenSSL/1.1.1d
Release-Date: [unreleased]
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS HTTPS-proxy IPv6 Largefile NTLM NTLM_WB SSL TLS-SRP UnixSockets


INSTALL MOD_AUTH_CAS

Clone the apereo/mod_auth_cas from master (latest commit to include a requestId: 89ac1b6, 2018-07-30; not necessary, but I branched and tagged this locally for now). Specify the newly-built curl+ssl package in the configuration and build/install the CAS module.

git clone https://github.com/apereo/mod_auth_cas.git
cd mod_auth_cas

[branched, tagged, and checked out]

autoreconf -ivf
./configure --with-libcurl=/opt/curl
make
sudo make install

Refer to the Apache guidelines for configuring a service or SAML validation endpoint.

Reply all
Reply to author
Forward
0 new messages