Backchannel attribute query vs. SSL handshake error

Dave Perry Dave.Perry at hull-college.ac.uk
Mon Aug 3 06:57:27 EDT 2015 

We had this issue when I was setting up our v3 IdP. I had originally tried using inetd to do port remapping, then moved away from that later on - but clearly hadn't disabled it properly. Once I'd disabled it properly, Jetty was able to work and the 8443 backchannel did.

Also, are your 8443 connections from the outside world to your IdP going straight to the server or via a reverse proxy? Our new IdP sits behind Microsoft Forefront TMG, and it took a few goes to persuade it to pass 8443 traffic on properly.

HTH,
Dave

_________________________________________________
Dave Perry
eLearning Technologist, Hull College Group

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

* Need a fast reply? Try elearning at hull-college.ac.uk *


-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott
Sent: 31 July 2015 17:20
To: Shib Users
Subject: Re: Backchannel attribute query vs. SSL handshake error

On 7/31/15, 1:27 AM, "users on behalf of Misagh Moayyed" <users-bounces at shibboleth.net on behalf of mmoayyed at unicon.net> wrote:

>Attempts to connect to the idp from the SP via openssl: "openssl 
>s_client -cert ./sp-cert.pem -key ./sp-key.pem -connect 
>idp.example.org:8443 -debug -msg -state" reports back SSL handshake 
>errors. Attempts to connect to the idp from the idp machine itself with 
>the same exact command works successfully.

That usually suggests an issue with the interface(s) it's actually listening on, there really isn't anything else that could apply to give you different results with the same OpenSSL client.

If nmap -p 8443 from off-host reports the port is open, then I guess one possibility would probably be something else listening on the port and not Jetty.

-- Scott

--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

**********************************************************************
This message is sent in confidence for the addressee
only. It may  contain confidential or sensitive
information.  The contents are not to be disclosed
to anyone other than the addressee.  Unauthorised
recipients are requested to preserve this
confidentiality and to advise us of any errors in
transmission.  Any views expressed in this message
are solely the views of the individual and do not
represent the views of the College.  Nothing in this
message should be construed as creating a contract.

Hull College Group owns the email infrastructure, including the contents.

Hull College Group is committed to sustainability, please reflect before printing this email.
**********************************************************************

TEXT

More information about the users mailing list