PKINIT and LDAP
Bram Cymet
bcymet at cbnco.com
Mon Aug 23 17:55:36 EDT 2010
On 08/23/2010 01:20 PM, Bram Cymet wrote:
> Hi,
>
> When I had my realm backended with kdb pkint worked with certificates
> just fine. Now that I have setup my realm to have an ldap backend when
> I try to kinit with certificates my kdc seg faults.
>
> Well it is actually openssl that crashes on a call to
> X509_get_subject_name() the only reason I could really see this call
> failing is if the data being passed to it not really an x509 cert?
>
> Any ideas why this could be happening? Do I have to have the client
> cert in ldap? Could this be a configuration problem?
>
> Thanks,
>
I have found the location of the problem. It is a certificate chain
verification problem. I know that my chain should validate however:
A call to X509_verify_cert() in
plugins/preauth/pkinit/pkinit_crypto_openssl.c sets ctx->error to 0
which according to the OpenSSL source this should not happen:
#define X509_V_OK 0
/* illegal error (for uninitialized values, to avoid X509_V_OK): 1 */
So in this case openssl_callback_ignore_crls() returns 0 and the kdc
goes on to try and look at what should be a CRL but since I am not
checking a CRL there is nothing there and it seg faults. Before I was
using the LDAP backend I was using the same cert generation process and
everything worked just fine so I am fairly sure my certs are ok.
I am really not sure why me using the LDAP backend would have any effect
on how the certificate chain is validated. I will continue to
investigate this from an OpenSSL point of view but has anyone ever come
across this before or have any idea what could be going on?
Thanks,
--
Bram Cymet
Software Developer
Canadian Bank Note Co. Ltd.
Cell: 613-608-9752
More information about the Kerberos
mailing list