CAS Server has a thawte signed certificate, Liferay server has the cert expectedly add to cacerts and the debug shows it in the trust list CAS server is working with a number of CASified applications. The liferay server does not have a certificate at all. The previously attached log is from the liferay server side, not seeing any errors in the log on the CAS server side.
I've attempted to increase the logging on the liferay side but changes I make to the various property files and xml files all seem to be ignored. Tried adding portal-log4j-ext.xml etc. The liferay wiki's and forums are conflicting about how to adjust logging, probably because of version differences, but all methods suggested seem to not work with 6.0.5 As I stated it's our production CAS server (3.4.5) and we have eight services authenticating successfully including Liferay 5.23 on jboss. For various reasons we're trying to implement 6.0.5 on tomcat instead of jboss and we're getting the fail. I'm thinking that it's a tomcat issue rather then liferay but it could be either. -Andrew On Feb 10, 2011, at 11:25 AM, Marvin Addison wrote: >> Have a new Client app (Liferay 6) that is running on Tomcat 6 on the server >> we've explicitly added the CAS server's ssl cert to CACerts. the trust shows >> up in list and in javax.net.debug=ssl,handshake >> However when this server attempts to validate a CAS ticket it fails with: >> TP-Processor3, WRITE: TLSv1 Handshake, length = 73 >> TP-Processor3, WRITE: SSLv2 client hello message, length = 98 >> TP-Processor3, received EOFException: error >> TP-Processor3, handling exception: javax.net.ssl.SSLHandshakeException: >> Remote host closed connection during handshake > > It makes sense that it's a certificate trust problem on the client > since it dies right after the client hello, which is followed by the > serverhello where the server certificate is sent to the client. A > client-side (Liferay) trace would be more helpful in diagnosing your > problem. > > M > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
