Why can't I connect to my CAS server with Perl's AuthCAS?

Question

I'm attempting to use an existing CAS server to authenticate login for a Perl CGI web script and am using the AuthCAS Perl module (v 1.3.1). I can connect to the CAS server to get the service ticket but when I try to connect to validate the ticket my script returns with the following error from the IO::Socket::SSL module:

 500 Can't connect to [CAS Server]:443 (Bad hostname '[CAS Server]') 
 ([CAS Server] substituted for real server name)

Symptoms/Tests:

1. If I type the generated URL for the authentication into the web browser's location bar it returns just fine with the expected XML snippet. So it is not a bad host name.
2. If I generate a script without using the AuthCAS module but using the IO::Socket::SSL module directly to query the CAS server for validation on the generated service ticket the Perl script will run fine from the command line but not in the browser.
3. If I add the AuthCAS module into the script in item 2, the script no longer works on the command line and still doesn't work in the browser.

Here is the bare-bones script that produces the error:

#!/usr/bin/perl
use strict;
use warnings;
use CGI;
use AuthCAS;
use CGI::Carp qw( fatalsToBrowser );

my $id = $ENV{QUERY_STRING};
my $q = new CGI;
my $target = "http://localhost/cgi-bin/testCAS.cgi";

my $cas = new AuthCAS(casUrl => 'https://cas_server/cas');

if ($id eq ""){
    my $login_url = $cas->getServerLoginURL($target);
    printf "Location: $login_url\n\n";
    exit 0;
} else {
    print $q->header();
    print "CAS TEST<br>\n";

    ## When coming back from the CAS server a ticket is provided in the QUERY_STRING
    print "QUERY_STRING = " . $id . "</br>\n";
    ## $ST should contain the received Service Ticket
    my $ST = $q->param('ticket');
    my $user = $cas->validateST($target, $ST);  #### This is what fails

    printf "Error: %s\n", &AuthCAS::get_errors() unless (defined $user);
}

Any ideas on where the conflict might be?

Answer 1

I should be more precise. The exact error that comes back from the validate ST function is

error IO::Socket::INET configuration failederror:00000000:lib(0):func(0):reason(0) unable to connect https://[CAS Server]:443/

The bad hostname error i.e.

500 Can't connect to [CAS Server]:443 (Bad hostname '[CAS Server]') ([CAS Server] substituted for real server name)

Comes from IO::Socket::SSL if you try to do that directly.

Answer 2

Well, from the module source it looks like that IO::Socket error is coming from get_https2

[...]
unless ($ssl_socket) {
    $errors = sprintf "error %s unable to connect https://%s:%s/\n",&IO::Socket::SSL::errstr,$host,$port;
    return undef;
}
[...]

which is called by callCAS, which is called by validateST.

One option is to temporarily edit the module file to put some debug statements in if you can, but if I had to guess, I'd say the casUrl you are supplying isn't matching up to the _parse_url regex properly - maybe you have three slashes after the https?

Answer 3

The error is coming from the line directly above the snippet Cebjyre quoted namely

$ssl_socket = new IO::Socket::SSL(%ssl_options);

namely the socket creation. All of the input parameters are correct. I had edited the module to put in debug statements and print out all the parameters just before that call and they are all fine. Looks like I'm going to have to dive deeper into the IO::Socket::SSL module.

Answer 4

Is the error actually this:

error IO::Socket::INET configuration failederror:00000000:lib(0):func(0):reason(0) unable to connect https://:443/

or is there a hostname you have removed from what you are posting? If the error is exactly as above, $host is not set, which is used as the PeerAddr for the ssl_options hash.

Answer 5

I removed the host name and forgot to put a substitute in. My mistake, I've fixed the post.

Answer 6

As usually happens when I post questions like this, I found the problem. It turns out the Crypt::SSLeay module was not installed or at least not up to date. Of course the error messages didn't give me any clues. Updating it and all the problems go away and things are working fine now.