-
Notifications
You must be signed in to change notification settings - Fork 48
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error processing authn response. Lasso error: [-111] Failed to verify signature., #115
Comments
Are the responses signed using SHA-1 or not? |
No, it should be SHA-256. As I do not have handson experience with Rocky 9 yet I do not know what the issue is. Does it help to enable Mellon Diagnostics to get more information? |
I already have this enabled on my Apache configuration "MellonDiagnosticsEnable On" but cannot understand everything apart some 400 Response codes in the log messages. On the browser, I see this:
|
@thijskh on RHEL-9 we disable SHA-1 based signatures. SHA-1, especially in certificates, is considered broken these days, my advice is to upgrade your infrastructure to use SHA-256 or better and remove any uses of SHA-1 for signatures if possible. |
Note that the whole certificate chain matters. If any intermediary CA is signed with SHA-1, RHEL will refuse to validate the certs. |
Note that it has not been definitively established that the OP actually uses SHA-1 somewhere. |
What signing algorithm is actually being used? |
I am using SHA-256 for the SSL certificates + SAML. Here is some information from the diagnostics + the openssl command: I looked at the mellon.cert file under ~/etc/apache/mellon and RSA Public-Key - (3072 bit) . Do you mean MellonSPPrivateKeyFile ? I am not sure how to decrypt it. |
Additionally, the mellon_create_metdata uses the following:
|
If you change the crypto policy on the system to LEGACY, and restart the services, does it start working? You can test that with: Remmebr to set it back to DEFAULT policy after the test and restart the services. |
We're seeing this same error on RockyLinux 9 ( The lasso logs do mention sha1, so I wonder if there's some lasso+openssl3.0 incompatibility to do with the removal of SHA1 as a default algo (even if it has been re-enabled):
|
This is the piece of code in lasso that is throwing the error:
So yeah, it seam lasso added its own sha1 blockage on top of what OpenSSL does in EL9 |
Or perhaps I fail to understand what this is checking, it seem there are similar checks for SHA256 and up, so I am not sure I understand what is the intent of the code yet. |
In EL9 lasso is compiled with --with-min-hash-algo=sha256 so I am not sure sha1 canb actually be re-enabled at all, although this does not really explain why the error, unless there is some certificate/signature in the chain that depends on verifying a sha1 based signature as far as I can tell. |
Thanks for your feedback. I tried this but no luck. The error message remains the same. |
If this is a subordinate CA yes. |
We have the same issue on AlmaLinux 9.1:
|
Same behaviour is seen on Rocky 9.1 with both the avaiable Lasso package from repo (lasso-2.7.0-8.el9.x86_64) and a Lasso 2.8.0 -package ( taken from https://lemonldap-ng.org/redhat/extras/9/x86_64/lasso-2.8.0-1.el9.x86_64.rpm ) My env :
|
confirming same behaviour on Ubuntu 22.04 it seems to be running the same versions of lasso as Rocky/Alma 9 ultimately |
Has anyone managed to make it work? I have the same error in Rocky Linux 9.1: |
look into this post, there you can find suggestions/alternatives. br, |
In my case, this was fixed by changing the Canonicalization and Transform methods to |
It still happens in Rocky Linux 9.4 with: |
Any known issue with RHEL/Rocky 9.1 ? It works fine on RHEL/Rocky 8.7/Ubuntu 22.04.
I am trying to setup set Up SSO in Apache using Mellon and Azure AD on RHEL9.1.
With mod_auth_mellon module v0.18.0 , I see the following error message just after the response for the request "POST - /mellon/postResponse":
[APLOG_ERR auth_mellon_handler.c:2201] Error processing authn response. Lasso error: [-111] Failed to verify signature., SAML Response: StatusCode1="urn:oasis:names:tc:SAML:2.0:status:Success", StatusCode2="(null)", StatusMessage="(null)"
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/known-issues : Here, I see some known issues with SHA signatures but not very sure if this is related to the above error message.
The text was updated successfully, but these errors were encountered: