private yubico validation server with self-signed SSL certificate

[inat...@gmail.com]

Hello,

I am trying to configure MFA Authentication Server 1.3.3-2 to work with private yubicloud server protected with self-signed SSL vertificate (SHA-512). 

Everything is working with plain HTTP. I am able to register the token and do a test login. But it does not work via SSL. 

I am using the following settings:

YubiCloud over HTTPS        Yes
Private YubiCloud Server    auth.myserver.com
YubiCloud CA Certificate    /path/to/root/CA.pem

CA.pem - is a CA certificate used to sign the certificate for auth.myserver.com. Then I am trying to register a token I got the following error:

Could not send a request to the YubiCloud validation service

/opt/webadm/logs/webadm.log file contains only "[Admin:NGZ44KUO] Sending YubiCloud validation request to 1 servers over HTTPS" message. I am unable to find a way to make log move verbose. Debug settings in the webadm.conf do not help.

Does anyone know how to debug OpenOTP SSL? Or, maybe, there is a way to configure SSL settings used my OpenOTP while connecting to the auth server? I have to use TLVv1.1/TLSv1.2 with pretty strict SSL ciphers...

Thank you

Dimitri

[Administrators]

It should work this way. 

Maybe you need the CA cert + intermediate CA for the OpenOTP client to trust the SSL certiticate of the yubicloud service.

In this cas make a PEM file containing both the the CA cert and the intermediate CA cert(s)

[inat...@gmail.com]

I do not have intermediate CA. So I tried to provide both server and CA certificates chained in the PEM file. No difference. 

Unfortunately because the application files are already compiled I cannot find the original call used in openotp_yubikey.php to debug it. 

[francois...@rcdevs.com]

Hello,

Can you try the port with telnet ?

Can you try a tcpdump of the communication and analyse it with wireshark? You can try without and with ssl. 

The packets pass in both directions? Without error ?