The Shibboleth V1 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only.
OpenSSLErrors
OpenSSL is a toolkit that Shibboleth uses to perform most of its cryptography in providing mutual authentication of providers and secure channels for communication. Notoriously confusing error messages from OpenSSL may appear in Apache and various Shibboleth logs as a result of misconfiguration. A few commonly encountered SSL errors and possible causes are piled here.
Always check first to ensure that there is only one version of OpenSSL being used by Apache, the various dependencies of Shibboleth, and Shibboleth itself. OpenSSL doesn't version itself properly, which causes the Linux community to in turn version it according to their own whims, all of which results in dependent code loading versions that ordinarily they wouldn't even see. Mix versions from different packagers and you get total chaos. Windows installations are worse, with old OpenSSL installations (or packages that include SSL libraries, like PHP) often contaminating system32
.
SSL: couldn't set callback
This error is caused by OpenSSL version mismatches in the installation on Windows. There must must be no other version of SSL that is present in the system's path. Solving this problem usually starts by removing all (shared) SSL libraries (
.so
or.dll=) on your system; these will most often be found in =system32
.ERROR shibtarget.ShibHTTPHook [2] sessionGet: caught a SAML exception while attaching credentials to request: Unable to attach private key to SSL context
The file referenced in the
Credentials
element is not a proper private key, which could mean it's in an unsupported format, malformed, or not a key at all. Alternatively, it could be that the private key is encrypted and that one therefore has to configure Shibboleth to use a password for decrypting the private key.ERROR shibtarget.SessionCache [2] sessionGet: caught SAML exception during SAML attribute query: !SOAPHTTPBindingProvider::send() failed while contacting SAML responder: error signaled by ssl ctx callback
: SSLCtxCallbackErrorERROR {nl:OpenSSL
[6004] sessionNew: path validation failure: unable to get local issuer certificate}}The certificate provided by the relying party is rooted in an authority that is not trusted in any of the
metadata.xml
files that Shibboleth is configured to use.- error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
This catch-all error message can mean a variety of things which all have to do with an invalid certificate for this connection. It is most frequently triggered when the CN of the certificate doesn't match the hostname of the entity communicating. It can also be a signal that your certificate is beyond its validity period (which is a critical error for Shibboleth).
- ERROR OpenSSL [0] sessionNew: error code: 151429224 in pem_lib.c
ERROR OpenSSL [0] sessionNew: error code: 336265225 in ssl_rsa.c
ERROR OpenSSL [0] sessionNew: error code: 336265225 in ssl_rsa.c
ERROR shibtarget.ShibHTTPHook [0] sessionNew: caught a SAML exception while attaching credentials to request: Unable to attach private key to SSL context
The SP is loading an encrypted private key, but no password has been provided in the configuration. Either you provide a password for the key in shibboleth.xml (see IdPPKIConfig) or you decrypt the private key.