CAS server has a cert signed by Thawte, tomcat server explicitly trusts the cert chain from Thawte and the certificate on the CAS server.
Tomcat server is running a self signed cert. Not using proxy mode. >From a browser on the tomcat server I can log into cas and access other >services. -Andrew On Feb 10, 2011, at 3:48 AM, Pierre Brun wrote: > Have you a Self signed certificat ? > Does you client also a self signed certificat ? > CAS client working in proxy mode ? > > 2011/2/9 Andrew Tillinghast <[email protected]> > > Pretty sure this isn't a CAS problem, more of a tomcat problem but it's CAS > related so someone might have some advice. > We have a CAS server 3.4.5 that is running and a number of CASified > applications are running and working fine. > > Have a new Client app (Liferay 6) that is running on Tomcat 6 on the server > we've explicitly added the CAS server's ssl cert to CACerts. the trust shows > up in list and in javax.net.debug=ssl,handshake > > However when this server attempts to validate a CAS ticket it fails with: > TP-Processor3, WRITE: TLSv1 Handshake, length = 73 > TP-Processor3, WRITE: SSLv2 client hello message, length = 98 > TP-Processor3, received EOFException: error > TP-Processor3, handling exception: javax.net.ssl.SSLHandshakeException: > Remote host closed connection during handshake > TP-Processor3, SEND TLSv1 ALERT: fatal, description = handshake_failure > TP-Processor3, WRITE: TLSv1 Alert, length = 2 > TP-Processor3, called closeSocket() > 14:36:10,091 ERROR [CommonUtils:294] Remote host closed connection during > handshake > javax.net.ssl.SSLHandshakeException: Remote host closed connection during > handshake > at > com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:808) > at > com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1112) > at > com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1139) > at > com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123) > at > sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434) > at > sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166) > at > sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1049) > at > com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnectionOldImpl.getInputStream(HttpsURLConnectionOldImpl.java:204) > > We have the CACERT set in the server.xml as truststore and as I said the CAS > server's cert is showing up in the "adding as trusted cert" list. > > I'm not as familiar with tomcat as I am with JBoss so if anyone has a > suggestion as to why this is failing it would be a huge help. > > > <image.png> > Andrew Tillinghast > Sr. Web Developer > [email protected] > 270 Mohegan Avenue > New London, CT 06320-4196 > Ph:860 439-5265 Fax: 860 439-2871 > P Think before you print > CONFIDENTIALITY: This email (including any attachments) may contain > confidential, proprietary and privileged information, and unauthorized > disclosure or use is prohibited. If you received this email in error, please > notify the sender and delete this email from your system. > > > > > -- > You are currently subscribed to [email protected] as: > [email protected] > > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
