Broken after OpenSSL upgrade, IIS
281 views
Skip to first unread message
Chris Harding
Mar 15, 2016, 9:12:41 AM3/15/16
to SimpleSAMLphp
IIS 7
Windows 2008 R2
PHP 5.4.28
i386-pc-win32
OpenSSL 1.0.1g 7 April 2014
I updated OpenSSL because we have to support TLS 1.2 and now simplesamlphp stops working. I upgraded to 1.14.0 which seemed to help some but still not working. Before upgrading if I went to Federation and show metadata it would give an error 500. I also had to deal with PHP openssl_random_pseudo_bytes() not being defined which it had appeared that I solved all of those but when I tested in production last night it failed again. This time when coming from the source page to our SP landing page it complained about not being encrypted then when I tried with http it excepted it, but failed to process and sent me back to the IdP landing page which just gave me a generic error before directing me back to the login. Another odd thing, when on 1.14.0 and HTTPS the CSS doesn’t seem to load, from localhost it does. Any help or ideas of where to look next?
Peter Schober
Mar 15, 2016, 9:25:19 AM3/15/16
to SimpleSAMLphp
* Chris Harding <kille...@gmail.com> [2016-03-15 14:12]:
-peter
> I updated OpenSSL because we have to support TLS 1.2 and now
> simplesamlphp stops working.
SimpleSAMLphp does not do TLS, your web server does?
> simplesamlphp stops working.
-peter
Chris Harding
Mar 15, 2016, 9:32:56 AM3/15/16
to SimpleSAMLphp, peter....@univie.ac.at
Peter,
Correct, we started with OpenSSL 0.9.8 and had to update to the 1.0.1 branch for PHP to support TLS 1.2 and in just updating that simplesaml broke. I can revert back to the 0.9.8 and it will return to working condition.
Jaime Perez Crespo
Mar 15, 2016, 10:03:03 AM3/15/16
to simple...@googlegroups.com
Hi Chris,
I’m afraid your issue has nothing to do with SimpleSAMLphp. The only places where you could end up using OpenSSL are the validating of signatures, signing of messages, or encryption. None of that happens in general (and of course not when loading a CSS or any other resource).
It looks like when you upgrade OpenSSL, your IIS / PHP installation breaks, probably because they need updating too to use the new version of OpenSSL just installed.
On 15 Mar 2016, at 14:32 PM, Chris Harding <kille...@gmail.com> wrote:
> Correct, we started with OpenSSL 0.9.8 and had to update to the 1.0.1 branch for PHP to support TLS 1.2 and in just updating that simplesaml broke. I can revert back to the 0.9.8 and it will return to working condition.
--
Jaime Pérez
UNINETT / Feide
mail: jaime...@uninett.no
xmpp: ja...@jabber.uninett.no
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
I’m afraid your issue has nothing to do with SimpleSAMLphp. The only places where you could end up using OpenSSL are the validating of signatures, signing of messages, or encryption. None of that happens in general (and of course not when loading a CSS or any other resource).
It looks like when you upgrade OpenSSL, your IIS / PHP installation breaks, probably because they need updating too to use the new version of OpenSSL just installed.
On 15 Mar 2016, at 14:32 PM, Chris Harding <kille...@gmail.com> wrote:
> Correct, we started with OpenSSL 0.9.8 and had to update to the 1.0.1 branch for PHP to support TLS 1.2 and in just updating that simplesaml broke. I can revert back to the 0.9.8 and it will return to working condition.
Jaime Pérez
UNINETT / Feide
mail: jaime...@uninett.no
xmpp: ja...@jabber.uninett.no
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
Chris Harding
Mar 15, 2016, 11:16:01 AM3/15/16
to SimpleSAMLphp
Jaime,
Thank you, I matched windows PHP to the OpenSSL and backed up to my original 1.12.0 on a testing machine and didn't get any noticeable errors with the exception of this one from the idP.
A popup that stated: The information you have entered on this page will be sent over an insecure connection and could be read by a third party
Then on the redirect page:
Error Message:
Error decoding authentication request message
Jaime Perez Crespo
Mar 15, 2016, 11:20:45 AM3/15/16
to simple...@googlegroups.com
Hi again,
It sounds like your installation is completely broken. Check your web server logs to see if you have any information in there. I would also advise you to install and use the SAML tracer Firefox extension to follow the entire HTTP exchange, and try to debug how you are accessing the server (HTTP vs HTTPS), what responses are you getting, how are you posting the data, etc.
> On 15 Mar 2016, at 16:16 PM, Chris Harding <kille...@gmail.com> wrote:
> Jaime,
>
> Thank you, I matched windows PHP to the OpenSSL and backed up to my original 1.12.0 on a testing machine and didn't get any noticeable errors with the exception of this one from the idP.
>
> A popup that stated: The information you have entered on this page will be sent over an insecure connection and could be read by a third party
> Then on the redirect page:
> Error Message:
> Error decoding authentication request message
It sounds like your installation is completely broken. Check your web server logs to see if you have any information in there. I would also advise you to install and use the SAML tracer Firefox extension to follow the entire HTTP exchange, and try to debug how you are accessing the server (HTTP vs HTTPS), what responses are you getting, how are you posting the data, etc.
> On 15 Mar 2016, at 16:16 PM, Chris Harding <kille...@gmail.com> wrote:
> Jaime,
>
> Thank you, I matched windows PHP to the OpenSSL and backed up to my original 1.12.0 on a testing machine and didn't get any noticeable errors with the exception of this one from the idP.
>
> A popup that stated: The information you have entered on this page will be sent over an insecure connection and could be read by a third party
> Then on the redirect page:
> Error Message:
> Error decoding authentication request message
Peter Schober
Mar 15, 2016, 11:51:23 AM3/15/16
to SimpleSAMLphp
* Chris Harding <kille...@gmail.com> [2016-03-15 16:16]:
the IDP, when HTTP POST'ing the SAML Reponse from the IDP -- running
on HTTPS -- to a SAML SP running on HTTP only.
Does that match what you did to cause this specific error?
If so the reason is plain HTTP endpoints in the SP's metadata.
> Then on the redirect page:
> Error Message:
> Error decoding authentication request message
Hm, that happens after the above? An Authn Request would be sent to
the IDP before you'd authenticate (or experience SSO) at the IDP.
What did you do to cause the authn request to be sent? Access a
specific SP? Is the authn request even present at the IDP endpoints,
does it look OK in the browser (cf. Jaime's reply wrt SAMLtracer)?
-peter
> A popup that stated: The information you have entered on this page
> will be sent over an insecure connection and could be read by a
> third party
That sounds like the kind of message you'd get after authentication at
> will be sent over an insecure connection and could be read by a
> third party
the IDP, when HTTP POST'ing the SAML Reponse from the IDP -- running
on HTTPS -- to a SAML SP running on HTTP only.
Does that match what you did to cause this specific error?
If so the reason is plain HTTP endpoints in the SP's metadata.
> Then on the redirect page:
> Error Message:
> Error decoding authentication request message
the IDP before you'd authenticate (or experience SSO) at the IDP.
What did you do to cause the authn request to be sent? Access a
specific SP? Is the authn request even present at the IDP endpoints,
does it look OK in the browser (cf. Jaime's reply wrt SAMLtracer)?
-peter
Chris Harding
Mar 15, 2016, 11:59:45 AM3/15/16
to SimpleSAMLphp, peter....@univie.ac.at
Yes, I have the Firefox SAML tracer. https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/
And yes, that client has an http/https issue which I have alerted them on. I am going to try another client as soon as I get permission. When I dodge the previous error message I finally came up with this one. No peer endpoint available to which to send SAML response. Which I am going to assume is because I am working on a development server that is IP only and the idP doesn't have my metadata for this server.
Peter Schober
Mar 15, 2016, 1:38:50 PM3/15/16
to SimpleSAMLphp
* Chris Harding <kille...@gmail.com> [2016-03-15 16:59]:
> I am going to try another client as soon as I get permission. When I
> dodge the previous error message I finally came up with this one.
The "previous message" being the pop-up with the "insecure connection"
warning -- or the one about the error decoding the authn request?
> No peer endpoint available to which to send SAML response.
Incorrect Metadata.
> Which I am going to assume is because I am working on a development
> server that is IP only and the idP doesn't have my metadata for this
> server.
IP addresses have nothing to do with it, but not having correct
metadata does, yes.
(You could also put IP addresses in metadata if you wanted, the point
is making the metadata reflect what your browser sees, whatever that
may be.)
No matter the OpenSSL or PHP or SimpleSAMLphp version you previously
used: The list of different errors you keep adding to is not the
consequence of merely updating the software on those projects and
keeping existing configuration in place.
So you'll have to investigate each error and fix it as you go along.
There's no magic shortcut to such a slew of config/deployment errors.
-peter
> And yes, that client has an http/https issue which I have alerted them on.
"client" being the SAML SP, OK.
> I am going to try another client as soon as I get permission. When I
> dodge the previous error message I finally came up with this one.
warning -- or the one about the error decoding the authn request?
> No peer endpoint available to which to send SAML response.
> Which I am going to assume is because I am working on a development
> server that is IP only and the idP doesn't have my metadata for this
> server.
metadata does, yes.
(You could also put IP addresses in metadata if you wanted, the point
is making the metadata reflect what your browser sees, whatever that
may be.)
No matter the OpenSSL or PHP or SimpleSAMLphp version you previously
used: The list of different errors you keep adding to is not the
consequence of merely updating the software on those projects and
keeping existing configuration in place.
So you'll have to investigate each error and fix it as you go along.
There's no magic shortcut to such a slew of config/deployment errors.
-peter
Reply all
Reply to author
Forward
0 new messages