search

google-code-export / rubycas-client

Automatically exported from code.google.com/p/rubycas-client
1 stars 1 forks source link

Verify the SSL connection when communicating with CAS #36

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Place CAS under an untrusted ssl certificated
2. Try to login in your application with a generated ticket

What is the expected output? What do you see instead?
I expect that my application do NOT trust on an wrong certificated.

I will try to explain why I'm requesting this.
I'm working on an environment with many applications. Some applications
depend on others applications. All applications are under CAS authentication.
The problem here is if someone intercept the communication between one of
my application with CAS and automatically approves all of the requests.
For example:

There is an A application witch depends of a B application:
 _____           _____
|     |    st   |     |
|  A  | ======> |  B  |
|_____|         |_____|
 || /\     valid?|| /\
 \/ ||st         \/ ||yes!
 ____________________
|                    |
|         CAS        |
|____________________|

If someone stays between B and CAS communication and always say YES
independent of the given ticket, anyone can login on system B:

       _____
      |     |
      |  B  |<==== INVALID Ticket
      |_____|
  valid?|| /\
        \/ ||yes!
 ____________________
|                    |
|      Fake CAS      |
|____________________|
 ____________________
|                    |
|         CAS        |
|____________________|

The only way of granting that the one saying YES in this case is the real
CAS is having a valid certificated. Am I right?

To make it work, we just need to add the following line before any request
to Cas URIs:
https.verify_mode = OpenSSL::SSL::VERIFY_PEER

We could add some configuration validation to keep thinks simplest while
developing.

What you think?

Roberto Klein.

Original issue reported on code.google.com by robert...@gmail.com on 15 Apr 2010 at 7:53

GoogleCodeExporter commented 9 years ago 
Sounds right to me. SSL verification is disabled by default to lower the bar 
for 
simple setups, but I think you're right that you should be able to enable it 
via a 
configuration option.

Original comment by matt.zuk...@gmail.com on 15 Apr 2010 at 9:57

GoogleCodeExporter commented 9 years ago 
Implemented and requested the merge.

Original comment by robert...@gmail.com on 16 Apr 2010 at 2:54

GoogleCodeExporter commented 9 years ago 
Matt,
Did you checket out my commit?

Original comment by robert...@gmail.com on 19 Apr 2010 at 3:42