MetadataProvider SSL errors

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

MetadataProvider SSL errors

Gahring, David A

Greetings,

 

We are running the Shibboleth SP v2.6 on a SLES 11 SP 4 server, and I’m trying to get remote metadata out of ADFS.  We also have Shib2 running on a Win/IIS platform, and that is working fine.  The error appears to be related to the ciphers (?) being used by libcurl to negotiate a secure connection.  I’ve tried a number of things from cipher options to TransportOption settings with no joy.

 

Any ideas or observations would be appreciated.  Here is the error I’m seeing in our shibd.log file after startup.

 

2018-07-10 16:07:21 INFO Shibboleth.Application : building MetadataProvider of type XML...

2018-07-10 16:07:21 ERROR XMLTooling.libcurl.InputStream : error while fetching https://not.my.real.hostname/federationmetadata/2007-06/federationmetadata.xml: (35) error:1408D13A:SSL routines:SSL3_GET_KEY_EXCHANGE:unable to find ecdh parameters

2018-07-10 16:07:21 ERROR XMLTooling.ParserPool : fatal error on line 0, column 0, message: internal error in NetAccessor

 

Thanks for any help in pointing me in the right direction..

______________________________________

David A. Gahring

Systems Consultant - IT Department

Palm Beach State College

4200 Congress Avenue

Lake Worth, FL 33461

Work: 561.868.3320

Cell: 904.742-5407

/Users/gahringd/Library/Containers/com.microsoft.Outlook/Data/Library/Caches/Signatures/signature_1615585564

 




Please note: Due to Florida’s broad open records law, most written communication to or from College employees is public record, available to the public and the media upon request. Therefore, this e-mail communication may be subject to public disclosure.

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: MetadataProvider SSL errors

Gahring, David A

Greetings!

 

Found it! 

 

Adding the following to the MetadataProvider section resolved the issue.

 

<TransportOption provider="CURL" option="10083">AES256-SHA</TransportOption>

 

Apparently SLES 11 has a pretty archaic version of OpenSSL, so you have to force something other than ECDH.

 

Thanks!

 

______________________________________

David A. Gahring

Systems Consultant - IT Department

Palm Beach State College

4200 Congress Avenue

Lake Worth, FL 33461

Work: 561.868.3320

Cell: 904.742-5407

/Users/gahringd/Library/Containers/com.microsoft.Outlook/Data/Library/Caches/Signatures/signature_971632444

 

 

From: users <[hidden email]> on behalf of "Gahring, David A" <[hidden email]>
Reply-To: Shib Users <[hidden email]>
Date: Tuesday, July 10, 2018 at 4:21 PM
To: Shib Users <[hidden email]>
Subject: MetadataProvider SSL errors

 

Greetings,

 

We are running the Shibboleth SP v2.6 on a SLES 11 SP 4 server, and I’m trying to get remote metadata out of ADFS.  We also have Shib2 running on a Win/IIS platform, and that is working fine.  The error appears to be related to the ciphers (?) being used by libcurl to negotiate a secure connection.  I’ve tried a number of things from cipher options to TransportOption settings with no joy.

 

Any ideas or observations would be appreciated.  Here is the error I’m seeing in our shibd.log file after startup.

 

2018-07-10 16:07:21 INFO Shibboleth.Application : building MetadataProvider of type XML...

2018-07-10 16:07:21 ERROR XMLTooling.libcurl.InputStream : error while fetching https://not.my.real.hostname/federationmetadata/2007-06/federationmetadata.xml: (35) error:1408D13A:SSL routines:SSL3_GET_KEY_EXCHANGE:unable to find ecdh parameters

2018-07-10 16:07:21 ERROR XMLTooling.ParserPool : fatal error on line 0, column 0, message: internal error in NetAccessor

 

Thanks for any help in pointing me in the right direction..

______________________________________

David A. Gahring

Systems Consultant - IT Department

Palm Beach State College

4200 Congress Avenue

Lake Worth, FL 33461

Work: 561.868.3320

Cell: 904.742-5407

/Users/gahringd/Library/Containers/com.microsoft.Outlook/Data/Library/Caches/Signatures/signature_1615585564

 

 



Please note: Due to Florida’s broad open records law, most written communication to or from College employees is public record, available to the public and the media upon request. Therefore, this e-mail communication may be subject to public disclosure.


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: MetadataProvider SSL errors

Cantor, Scott E.
> Adding the following to the MetadataProvider section resolved the issue.

Note that you can set cipherSuites directly in the configuration now without using tricks like that.

-- Scott




--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: MetadataProvider SSL errors

Gahring, David A

Hi Scott,

 

I finally got around to trying the cipherSuites option again as you suggested below, and I can't seem to get it to work.  Here are the two I've tried in the ApplicationDefaults tag with no success.  The only thing that I’ve gotten to work is the “tricky” approach using the TransportOption tag.  I’m certainly not an openSSL expert, so I’m probably missing something obvious..?

 

    <ApplicationDefaults entityID="ourownweb-test"

                         REMOTE_USER="eppn persistent-id targeted-id"

                         cipherSuites="ALL:!aNULL:!eNULL:!LOW:!EXPORT:!RC4:!SSLv2"

                         attributePrefix="AJP_">

 

     ---  and this one..  ---

 

    <ApplicationDefaults entityID="ourownweb-test"

                         REMOTE_USER="eppn persistent-id targeted-id"

                         cipherSuites="AES256-SHA"

                         attributePrefix="AJP_">

 

If you have a few minutes, could you provide an example so I can see what I might be doing wrong?

 

Thanks!

 

______________________________________

David A. Gahring

Systems Consultant - IT Department

Palm Beach State College

4200 Congress Avenue

Lake Worth, FL 33461

Work: 561.868.3320

Cell: 904.742-5407

Email: [hidden email]

 

 

 

 

On 7/10/18, 5:51 PM, "users on behalf of Cantor, Scott" <[hidden email] on behalf of [hidden email]> wrote:

 

    > Adding the following to the MetadataProvider section resolved the issue.

   

    Note that you can set cipherSuites directly in the configuration now without using tricks like that.

   

    -- Scott

   

    

    

    

    --

    For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg

    To unsubscribe from this list send an email to [hidden email]

   




Please note: Due to Florida’s broad open records law, most written communication to or from College employees is public record, available to the public and the media upon request. Therefore, this e-mail communication may be subject to public disclosure.

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: MetadataProvider SSL errors

Cantor, Scott E.
On 7/17/18, 11:28 AM, "users on behalf of Gahring, David A" <[hidden email] on behalf of [hidden email]> wrote:

> I finally got around to trying the cipherSuites option again as you suggested below, and I can't seem to get it to work.  

The real option probably doesn't change how batch metadata access works, just dynamic.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]