So, Stefan and I spent some time debugging Apache and Firefox.
What we're seeing is that Firefox receives an initial token from the
server and init_sec_context returns GSS_C_CONTINUE_NEEDED.
However, that token never makes it to gssEapAcceptSecContext on the
server.
Stefan has tested gss-client with spnego so that's not the problem.
The most likely problem is that the Apache module is simply not working
on Centos correctly and that the problem is specific to something in the
apache part of the apache module.
That's actually rather surprising as that code does very little.
Did we ever figure out whether we were going to stick with our apache
module or end up moving to the Redhat module?
If we're going to abandon the negotiate support in our module, now might
be an excellent time to do so.
Otherwise, someone should debug it on the Painless Security side; we'll
need to figure out who and what priority.
--Sam
|