Re: [cas-user] TLS issues in LDAP backend on Debian Squeeze

Fri, 17 Feb 2012 07:01:46 -0800 

I'm not sure what you mean with "ssl trace"



See 
https://wiki.jasig.org/display/CASUM/SSL+Troubleshooting+and+Reference+Guide 
for instructions to perform SSL trace.  The debug information in a trace 
almost always clarifies the exact cause of a failed SSL handshake.



java.security.InvalidAlgorithmParameterException: the trustAnchors
parameter must be non-empty
         at 
java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
         at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120)
         at 
java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104)
         at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:73)
         at sun.security.validator.Validator.getInstance(Validator.java:178)
         at 
sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:129)
         at 
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:225)
         at 
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:270)
         at 
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1144)
         at 
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:154)
         at sun.security.ssl.Handshaker.processLoop(Handshaker.java:610)
         at sun.security.ssl.Handshaker.process_record(Handshaker.java:546)
         at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:945)
         at 
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1190)
         at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:657)
         at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:107)
         at 
java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
         at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)



Suggests a certificate trust problem, which could be due to a change in 
the way Tomcat sets up the trust store or a change internally to the 
JRE.  Can you confirm whether the JRE/JDK version changed as a 
consequence of upgrading other components?  Also, need the exact JRE 
version and Tomcat version you're running at present.  Might help to 
post your redacted server.xml as well.


M

--
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user






















					Reply via email to