views:

954

answers:

4

I setup my own open id provider on my personal server, and added a redirect to https in my apache config file. When not using a secure connection (when I disable the redirect) I can log in fine, but with the redirect I can't log in with this error message:

The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

I'm guessing that this is because I am using a self signed certificate.

Can anyone confirm if the self signed certificate is the issue? If not does anyone have any ideas what the problem is?

+2  A: 

It sounds like it. The client of your OpenID server doesn't trust the root certification authority.

Blair Conrad
That make sense since I generated the certificate myself. I don't feel a need to pay verisign $200 a year just so an occasional warning box doesn't pop up. Especially since I'm the only one connecting to the machine.
Mark Roddy
+6  A: 

The primary benefit of using SSL for your OpenID URL is that it gives the relying party a mechanism to discover if DNS has been tampered with. It's impossible for the relying party to tell if an OpenID URL with a self-signed certificate has been compromised.

There are other benefits you get from using SSL on your provider's endpoint URL (easier to establish associations, no eavesdropping on the extension data) which would still hold if you used a self-signed cert, but I would consider those to be secondary.

keturn
If I can't use a self signed cert then I am forced to use an http connection in which case I loose the primary AND secondary benefits. I'd prefer to not have the URL verified and send encrypted passwords to not having the URL verified and sending plain text passwords.
Mark Roddy
You can use https for the user interface without changing the OpenID or endpoint. As an example, trace the flow myOpenID uses when authenticating http identifiers. It forwards the browser from the http endpoint to a https page.
keturn
Thanks! Thats exactly what I needed.
Mark Roddy
Um, it *was* what you needed? Hey, RPs *should not* work with https for self-signed certs generally speaking. Regardless of any tricks you play with redirects, you're not getting the security of using SSL unless you have a certificate signed by someone the RP trusts.
Andrew Arnott
+2  A: 

(Disclaimer: I'm new to OpenID, so I might be wrong here.) The communication between the Open ID Consumer (e.g., StackOverflow) and the Open ID Provider (your server) does not require HTTPS -- it will work just as fine and just as securely over plain HTTP. What you need to do is to configure your server to switch to HTTPS only when it shows you your login page. In that case, only your browser needs to concern itself with the self-signed certificate. You could import the certificate onto your PC and everything will be as secure as with, say, Verisign-issued certificate.

Alexander
+3  A: 

OpenID is designed in a redirect-transparent way. As long as the necessary key/value pairs are preserved at each redirect, either by GET or POST, everything will operate correctly.

The easiest solution to achieve compatibility with consumers that do not work with self-signed certificates is to use a non-encrypted end-point which redirects checkid_immediate and checkid_setup messages to an encrypted one.

Doing this in your server code is easier than with web server redirects as the former can more easily deal with POST requests, while also keeping code together. Furthermore, you can use the same end-point to handle all OpenID operations, regardless whether or not it should be served over SSL, as long as proper checks are done.

For example, in PHP, the redirect can be as simple as:

// Redirect OpenID authentication requests to https:// of same URL
// Assuming valid OpenID operation over GET
if (!isset($_SERVER['HTTPS']) &&
        ($_GET['openid_mode'] == 'checkid_immediate' ||
         $_GET['openid_mode'] == 'checkid_setup'))
    http_redirect("https://{$_SERVER['HTTP_HOST']}{$_SERVER['REQUEST_URI']}");

As the openid.return_to value was generated against a plain HTTP end-point, as far as the consumer is concerned, it is only dealing with a non-encrypted server. Assuming proper OpenID 2.0 operation with sessions and nonces, whatever information passed between the consumer and your sever should not reveal exploitable information. Operations between your browser and the OpenID server, which are exploitable (password snooping or session cookie hijacking) are done over an encrypted channel.

Aside from keeping out eavesdroppers, having authentication operations be carried out over SSL allows you to use the secure HTTP cookie flag. This adds yet another layer of protection for checkid_immediate operations, should you wish to allow it.

Yang Zhao