[OTDev] OpenSSO now secure

Thu Jun 10 10:21:14 CEST 2010

Hi all,

connections to the OpenSSO service at opensso.in-silico.ch can now be 
made secure by using SSL.
Submit your user credentials safely and obtain a token:

****************************************************************
am at z21:~/aa$ curl -v -k -i -d "username=amaunz&password=secret" 
https://opensso.in-silico.ch/opensso/identity/authenticate?uri=service=openldap
* About to connect() to opensso.in-silico.ch port 443 (#0)
*   Trying 178.63.18.76... connected
* Connected to opensso.in-silico.ch (178.63.18.76) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
   CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using AES256-SHA
* Server certificate:
* 	 subject: C=CH; ST=Some-State; L=Basel; O=in silico toxicology; 
CN=Christoph Helma; emailAddress=helma at in-silico.ch
* 	 start date: 2010-06-09 16:38:59 GMT
* 	 expire date: 2020-06-06 16:38:59 GMT
* 	 common name: Christoph Helma (does not match 'opensso.in-silico.ch')
* 	 issuer: C=CH; ST=Some-State; L=Basel; O=in silico toxicology; 
CN=Christoph Helma; emailAddress=helma at in-silico.ch
* 	 SSL certificate verify result: self signed certificate (18), 
continuing anyway.
> POST /opensso/identity/authenticate?uri=service=openldap HTTP/1.1
> User-Agent: curl/7.19.7 (i486-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15
> Host: opensso.in-silico.ch
> Accept: */*
> Content-Length: 32
> Content-Type: application/x-www-form-urlencoded
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: nginx/0.6.32
Server: nginx/0.6.32
< Date: Thu, 10 Jun 2010 08:12:27 GMT
Date: Thu, 10 Jun 2010 08:12:27 GMT
< Content-Type: text/plain;charset=UTF-8
Content-Type: text/plain;charset=UTF-8
< Connection: keep-alive
Connection: keep-alive
< Content-Length: 72
Content-Length: 72

<
token.id=AQIC5wM2LY4SfcyyY3V7C7qD1FD2ZoktJHsYKEKE8g+wXys=@AAJTSQACMDE=#
* Connection #0 to host opensso.in-silico.ch left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
****************************************************************

As you can see, a special switch (-k) is still required to allow 
connections using the self-signed certificate from Christoph. We might 
improve on this by using a free certificate from startssl.com, which 
clients trust.

Moreover, connections without SSL still work as usual.

Greetings
Andreas

-- 
http://www.maunz.de

             And on the 8th day God said: "Ok Murphy, you take over."