Backchannel failing after upgrade

Klingenstein, Nate nklingenstein at calstate.edu
Thu Jan 12 15:46:36 EST 2017 

James,

There is a wide variety of possible differences between the certificates
that could trigger the differential behavior.  One obvious thing to
check is the signature algorithm used.

https://cs.auscert.org.au/news/deprecation-of-sha1-certificates

openssl s_client will be as verbose as you could possibly desire.  I get
lost below debug1.

Hope this helps,
Nate.

On 01/12/2017 08:36 PM, James Drews wrote:
> Well, I'll go dig what version the SP is, but it's odd that on the same host using the same openssl program (Version: OpenSSL 1.0.1t  3 May 2016) when using one cert/key pair it fails, but another cert/key pair works. So I wouldn't think it is a library issue on the SP end.
>
> I'm also having our SP guy look into the question of why is it even using the backchannel (attribute fetch?)....
>
> I'll also mention, that if I use the non-working cert and connect to port 443 (same jetty engine), that works. So there is something else in the backchannel rejecting it.  
>
> Thanks
> James
>
> -----Original Message-----
> From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott
> Sent: Thursday, January 12, 2017 10:24 AM
> To: Shib Users <users at shibboleth.net>
> Subject: RE: Backchannel failing after upgrade
>
>> I didn't see anything "extra" to do in the release notes that had to 
>> be done after the upgrade install. I've also looked at the document 
>> describing the jetty 9.3 config, and I'm not seeing anything out of place there either.
> I doubt it has anything to do with the IdP per se, it's probably the fact that the TLS configuration was modernized.
>
> You didn't indicate what the SP version is or the OpenSSL version, but a suitably old one doesn't connect to modern servers at the command line without other options due to SSLv3 being off and older ciphers disabled. The SP generally uses the right settings and should work regardless, but without any error to even respond to I have no further speculation. If it's really old and broken, then anything is possible.
>
> Most shouldn't need the back channel at all, so an obvious question is what you're using it for.
>
> -- Scott
>
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list