Hi Joachim, Many thanks, as advised by you, adding this line ( phpCAS::setExtraCurlOption(CURLOPT_SSLVERSION,3); ) have resolved my problem.
Best Regards, Khurram On 8 March 2012 00:33, Joachim Fritschi <[email protected]> wrote: > Hi Khurram, > > i just checked you first debug log you sent yesterday. It did not contain > the phpCAS::**setNoCasServerValidation(). > > But anyway your curl ssl problem still persists. Could it be that you are > running into this issue between tomcat7 and ssl: > > https://bugs.launchpad.net/**ubuntu/+source/openssl/+bug/**861137<https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/861137> > > can you please try adding the following after the phpCAS:client() call: > > phpCAS::setExtraCurlOption(**CURLOPT_SSLVERSION,3); > > Regards, > > Joachim > > On 07.03.2012 16:49, Khurram Shahzad wrote: > >> Hi, >> >> We have further checked the validation URL it gives the following >> response. >> >> <cas:serviceResponse >> xmlns:cas='http://www.yale.**edu/tp/cas<http://www.yale.edu/tp/cas> >> '> >> <cas:authenticationFailure code='INVALID_TICKET'> >> ticket'ST-4-**IbtqotJxsgntvDnxcxbc-cas' not >> recognized >> </cas:authenticationFailure> >> </cas:serviceResponse> >> >> >> As it just generated the ticket a minute ago and successfully >> authenticated so how can it be invalid. A word or further instructions >> on it. >> >> Again my full log on this is as follows, >> >> 8CFD .START phpCAS-1.2.2 ****************** [CAS.php:478] >> 8CFD .=> phpCAS::client('2.0', 'localhost', 8443, >> '/cas-server-webapp-3.4.11') [index.php:15] >> 8CFD .| => CAS_Client::__construct('2.0', false, 'localhost', >> 8443, '/cas-server-webapp-3.4.11', true) [CAS.php:379] >> 8CFD .| | Starting a new session [Client.php:710] >> 8CFD .| <= '' >> 8CFD .<= '' >> 8CFD .=> phpCAS::**setNoCasServerValidation() [index.php:18] >> 8CFD .<= '' >> 8CFD .=> phpCAS::forceAuthentication() [index.php:19] >> 8CFD .| => CAS_Client::**forceAuthentication() [CAS.php:1081] >> 8CFD .| | => CAS_Client::isAuthenticated() [Client.php:962] >> 8CFD .| | | => CAS_Client::**wasPreviouslyAuthenticated() >> [Client.php:1058] >> 8CFD .| | | | no user found [Client.php:1239] >> 8CFD .| | | <= false >> 8CFD .| | | no ticket found [Client.php:1120] >> 8CFD .| | <= false >> 8CFD .| | => CAS_Client::redirectToCas(**false) [Client.php:971] >> 8CFD .| | | => CAS_Client::getServerLoginURL(**false, false) >> [Client.php:1255] >> 8CFD .| | | | => CAS_Client::getURL() [Client.php:356] >> 8CFD .| | | | | Final URI: >> >> http://localhost/testApp/**index.php<http://localhost/testApp/index.php>[Client.php:2886] >> 8CFD .| | | | <= >> 'http://localhost/testApp/**index.php<http://localhost/testApp/index.php> >> ' >> 8CFD .| | | <= >> 'https://localhost:8443/cas-**server-webapp-3.4.11/login?** >> service=http%3A%2F%**2Flocalhost%2FtestApp%2Findex.**php<https://localhost:8443/cas-server-webapp-3.4.11/login?service=http%3A%2F%2Flocalhost%2FtestApp%2Findex.php> >> ' >> 8CFD .| | | Redirect to : >> https://localhost:8443/cas-**server-webapp-3.4.11/login?** >> service=http%3A%2F%**2Flocalhost%2FtestApp%2Findex.**php<https://localhost:8443/cas-server-webapp-3.4.11/login?service=http%3A%2F%2Flocalhost%2FtestApp%2Findex.php> >> [Client.php:1257] >> 8CFD .| | | exit() >> 8CFD .| | | - >> 8CFD .| | - >> 8CFD .| - >> ED45 .START phpCAS-1.2.2 ****************** [CAS.php:478] >> ED45 .=> phpCAS::client('2.0', 'localhost', 8443, >> '/cas-server-webapp-3.4.11') [index.php:15] >> ED45 .| => CAS_Client::__construct('2.0', false, 'localhost', >> 8443, '/cas-server-webapp-3.4.11', true) [CAS.php:379] >> ED45 .| | Starting a new session [Client.php:710] >> ED45 .| | ST or PT 'ST-4-IbtqotJxsgntvDnxcxbc-**cas' found >> [Client.php:796] >> ED45 .| <= '' >> ED45 .<= '' >> ED45 .=> phpCAS::**setNoCasServerValidation() [index.php:18] >> ED45 .<= '' >> ED45 .=> phpCAS::forceAuthentication() [index.php:19] >> ED45 .| => CAS_Client::**forceAuthentication() [CAS.php:1081] >> ED45 .| | => CAS_Client::isAuthenticated() [Client.php:962] >> ED45 .| | | => CAS_Client::**wasPreviouslyAuthenticated() >> [Client.php:1058] >> ED45 .| | | | no user found [Client.php:1239] >> ED45 .| | | <= false >> ED45 .| | | PT `ST-4-IbtqotJxsgntvDnxcxbc-**cas' is present >> [Client.php:1093] >> ED45 .| | | => CAS_Client::validatePT('', NULL, NULL) >> [Client.php:1094] >> ED45 .| | | | [Client.php:2584] >> ED45 .| | | | => CAS_Client::**getServerProxyValidateURL() >> [Client.php:2586] >> ED45 .| | | | | => CAS_Client::getURL() [Client.php:475] >> ED45 .| | | | | | Final URI: >> >> http://localhost/testApp/**index.php<http://localhost/testApp/index.php>[Client.php:2886] >> ED45 .| | | | | <= >> 'http://localhost/testApp/**index.php<http://localhost/testApp/index.php> >> ' >> ED45 .| | | | <= >> 'https://localhost:8443/cas-**server-webapp-3.4.11/** >> proxyValidate?service=http%3A%**2F%2Flocalhost%2FtestApp%**2Findex.php<https://localhost:8443/cas-server-webapp-3.4.11/proxyValidate?service=http%3A%2F%2Flocalhost%2FtestApp%2Findex.php> >> ' >> ED45 .| | | | => CAS_CurlRequest::_sendRequest(**) >> [AbstractRequest.php:191] >> ED45 .| | | | | curl_exec() failed [CurlRequest.php:128] >> ED45 .| | | | <= false >> ED45 .| | | | could not open URL >> 'https://localhost:8443/cas-**server-webapp-3.4.11/** >> proxyValidate?service=http%3A%**2F%2Flocalhost%2FtestApp%** >> 2Findex.php&ticket=ST-4-**IbtqotJxsgntvDnxcxbc-cas<https://localhost:8443/cas-server-webapp-3.4.11/proxyValidate?service=http%3A%2F%2Flocalhost%2FtestApp%2Findex.php&ticket=ST-4-IbtqotJxsgntvDnxcxbc-cas> >> <https://localhost:8443/cas-**server-webapp-3.4.11/** >> proxyValidate?service=http%3A%**2F%2Flocalhost%2FtestApp%** >> 2Findex.php&ticket=ST-4-**IbtqotJxsgntvDnxcxbc-cas<https://localhost:8443/cas-server-webapp-3.4.11/proxyValidate?service=http%3A%2F%2Flocalhost%2FtestApp%2Findex.php&ticket=ST-4-IbtqotJxsgntvDnxcxbc-cas> >> >' >> to validate (CURL error #35: error:14077438:SSL >> routines:SSL23_GET_SERVER_**HELLO:tlsv1 alert internal error) >> [Client.php:2595] >> ED45 .| | | | => CAS_Client::authError('PT not >> validated', >> 'https://localhost:8443/cas-**server-webapp-3.4.11/** >> proxyValidate?service=http%3A%**2F%2Flocalhost%2FtestApp%** >> 2Findex.php&ticket=ST-4-**IbtqotJxsgntvDnxcxbc-cas<https://localhost:8443/cas-server-webapp-3.4.11/proxyValidate?service=http%3A%2F%2Flocalhost%2FtestApp%2Findex.php&ticket=ST-4-IbtqotJxsgntvDnxcxbc-cas> >> <https://localhost:8443/cas-**server-webapp-3.4.11/** >> proxyValidate?service=http%3A%**2F%2Flocalhost%2FtestApp%** >> 2Findex.php&ticket=ST-4-**IbtqotJxsgntvDnxcxbc-cas<https://localhost:8443/cas-server-webapp-3.4.11/proxyValidate?service=http%3A%2F%2Flocalhost%2FtestApp%2Findex.php&ticket=ST-4-IbtqotJxsgntvDnxcxbc-cas> >> >', >> true) [Client.php:2598] >> ED45 .| | | | | => CAS_Client::getURL() >> [Client.php:3014] >> ED45 .| | | | | <= >> 'http://localhost/testApp/**index.php<http://localhost/testApp/index.php> >> ' >> ED45 .| | | | | CAS URL: >> https://localhost:8443/cas-**server-webapp-3.4.11/** >> proxyValidate?service=http%3A%**2F%2Flocalhost%2FtestApp%** >> 2Findex.php&ticket=ST-4-**IbtqotJxsgntvDnxcxbc-cas<https://localhost:8443/cas-server-webapp-3.4.11/proxyValidate?service=http%3A%2F%2Flocalhost%2FtestApp%2Findex.php&ticket=ST-4-IbtqotJxsgntvDnxcxbc-cas> >> <https://localhost:8443/cas-**server-webapp-3.4.11/** >> proxyValidate?service=http%3A%**2F%2Flocalhost%2FtestApp%** >> 2Findex.php&ticket=ST-4-**IbtqotJxsgntvDnxcxbc-cas<https://localhost:8443/cas-server-webapp-3.4.11/proxyValidate?service=http%3A%2F%2Flocalhost%2FtestApp%2Findex.php&ticket=ST-4-IbtqotJxsgntvDnxcxbc-cas> >> > >> [Client.php:3015] >> ED45 .| | | | | Authentication failure: PT not >> validated [Client.php:3016] >> ED45 .| | | | | Reason: no response from the CAS >> server [Client.php:3018] >> ED45 .| | | | | exit() >> ED45 .| | | | | - >> ED45 .| | | | - >> ED45 .| | | - >> ED45 .| | - >> ED45 .| - >> >> >> Best Regards, >> Khurram Shahzad. >> >> ---------- Forwarded message ---------- >> From: *Khurram Shahzad* >> <khurram.shahzad@zeptosystems.**com<[email protected]> >> <mailto:khurram.shahzad@**zeptosystems.com<[email protected]> >> >> >> Date: 7 March 2012 18:54 >> Subject: Re: [cas-user] phpCAS support for CAS Server issue >> To: [email protected] >> <mailto:[email protected].**org<[email protected]> >> > >> >> >> Hi Matthew, Joachim and community, >> >> As its a local dev machine so I am using the >> phpCAS::**setNoCasServerValidation(); , so I am not sure why i am >> repeatedly hit by this error. Also my certs are self generated keystore >> for tomcat, so that tomcat ssl is working good. Also client php is >> placed at apache which now also have their certs and stuff. >> >> Still I am unable to reach the cause of this error. Can you direct me >> further on where to look to find and resolve the issue. >> >> Best regards, >> Khurram. >> >> >> On 7 March 2012 01:02, Joachim Fritschi <[email protected] >> <mailto:[email protected]>> wrote: >> >> Hi Khurram, >> >> Matthew has already spotted the error in your debug log. >> >> You seem to have some SSL error during the callback to the cas >> server to validate the ticket. This is usually cause by not setting >> the CA certificate which signed the CAS server SSL certificate: >> >> phpCAS::setCasServerCACert($__**cas_server_ca_cert_path); >> >> or not skipping certificate validation (not recommended for >> production): >> >> phpCAS::__**setNoCasServerValidation(); >> >> Otherwise the curl manual for #35 is a handshake error: >> >> "A problem occurred somewhere in the SSL/TLS handshake. You really >> want the error buffer and read the message there as it pinpoints the >> problem slightly more. Could be certificates (file formats, paths, >> permissions), passwords, and others." >> >> Maybe you have supplied a wrong format as a certificate or something >> else went wrong. Try using curl on the commandline to connect to the >> cas server. That might give you some hint if you play around with >> the parameters. (debug, verbose, setting certificate etc.) >> >> Regards, >> >> Joachim >> >> On 06.03.2012 18:11, Matthew Selwood wrote: >> >> Hi Khurram, >> >> I think this is the interesting part of your log: >> >> F3DE .| | | could not open URL >> 'https://localhost:8443/cas-__**server-webapp-3.4.11/__** >> proxyValidate?service=http%3A%**__2F%2Flocalhost%2FtestApp%__** >> 2Findex.php&ticket=ST-29-__**1fcy5UPRwNcc7sve4c1L-cas >> <https://localhost:8443/cas-**server-webapp-3.4.11/** >> proxyValidate?service=http%3A%**2F%2Flocalhost%2FtestApp%** >> 2Findex.php&ticket=ST-29-**1fcy5UPRwNcc7sve4c1L-cas<https://localhost:8443/cas-server-webapp-3.4.11/proxyValidate?service=http%3A%2F%2Flocalhost%2FtestApp%2Findex.php&ticket=ST-29-1fcy5UPRwNcc7sve4c1L-cas> >> > >> <https://localhost:8443/cas-__**server-webapp-3.4.11/__** >> proxyValidate?service=http%3A%**__2F%2Flocalhost%2FtestApp%__** >> 2Findex.php&ticket=ST-29-__**1fcy5UPRwNcc7sve4c1L-cas >> <https://localhost:8443/cas-**server-webapp-3.4.11/** >> proxyValidate?service=http%3A%**2F%2Flocalhost%2FtestApp%** >> 2Findex.php&ticket=ST-29-**1fcy5UPRwNcc7sve4c1L-cas<https://localhost:8443/cas-server-webapp-3.4.11/proxyValidate?service=http%3A%2F%2Flocalhost%2FtestApp%2Findex.php&ticket=ST-29-1fcy5UPRwNcc7sve4c1L-cas> >> >>' >> to validate (CURL error #35: error:14077438:SSL >> routines:SSL23_GET_SERVER___**HELLO:tlsv1 alert internal error) >> [Client.php:2595] >> F3DE .| | | => CAS_Client::authError('PT not validated', >> 'https://localhost:8443/cas-__**server-webapp-3.4.11/__** >> proxyValidate?service=http%3A%**__2F%2Flocalhost%2FtestApp%__** >> 2Findex.php&ticket=ST-29-__**1fcy5UPRwNcc7sve4c1L-cas >> <https://localhost:8443/cas-**server-webapp-3.4.11/** >> proxyValidate?service=http%3A%**2F%2Flocalhost%2FtestApp%** >> 2Findex.php&ticket=ST-29-**1fcy5UPRwNcc7sve4c1L-cas<https://localhost:8443/cas-server-webapp-3.4.11/proxyValidate?service=http%3A%2F%2Flocalhost%2FtestApp%2Findex.php&ticket=ST-29-1fcy5UPRwNcc7sve4c1L-cas> >> > >> <https://localhost:8443/cas-__**server-webapp-3.4.11/__** >> proxyValidate?service=http%3A%**__2F%2Flocalhost%2FtestApp%__** >> 2Findex.php&ticket=ST-29-__**1fcy5UPRwNcc7sve4c1L-cas >> <https://localhost:8443/cas-**server-webapp-3.4.11/** >> proxyValidate?service=http%3A%**2F%2Flocalhost%2FtestApp%** >> 2Findex.php&ticket=ST-29-**1fcy5UPRwNcc7sve4c1L-cas<https://localhost:8443/cas-server-webapp-3.4.11/proxyValidate?service=http%3A%2F%2Flocalhost%2FtestApp%2Findex.php&ticket=ST-29-1fcy5UPRwNcc7sve4c1L-cas> >> >>', >> true) [Client.php:2598] >> F3DE .| | | | => CAS_Client::getURL() [Client.php:3014] >> F3DE .| | | | <= >> 'http://localhost/testApp/__**index.php<http://localhost/testApp/__index.php> >> >> <http://localhost/testApp/**index.php<http://localhost/testApp/index.php> >> >' >> F3DE .| | | | CAS URL: >> https://localhost:8443/cas-__**server-webapp-3.4.11/__** >> proxyValidate?service=http%3A%**__2F%2Flocalhost%2FtestApp%__** >> 2Findex.php&ticket=ST-29-__**1fcy5UPRwNcc7sve4c1L-cas >> <https://localhost:8443/cas-**server-webapp-3.4.11/** >> proxyValidate?service=http%3A%**2F%2Flocalhost%2FtestApp%** >> 2Findex.php&ticket=ST-29-**1fcy5UPRwNcc7sve4c1L-cas<https://localhost:8443/cas-server-webapp-3.4.11/proxyValidate?service=http%3A%2F%2Flocalhost%2FtestApp%2Findex.php&ticket=ST-29-1fcy5UPRwNcc7sve4c1L-cas> >> > >> <https://localhost:8443/cas-__**server-webapp-3.4.11/__** >> proxyValidate?service=http%3A%**__2F%2Flocalhost%2FtestApp%__** >> 2Findex.php&ticket=ST-29-__**1fcy5UPRwNcc7sve4c1L-cas >> <https://localhost:8443/cas-**server-webapp-3.4.11/** >> proxyValidate?service=http%3A%**2F%2Flocalhost%2FtestApp%** >> 2Findex.php&ticket=ST-29-**1fcy5UPRwNcc7sve4c1L-cas<https://localhost:8443/cas-server-webapp-3.4.11/proxyValidate?service=http%3A%2F%2Flocalhost%2FtestApp%2Findex.php&ticket=ST-29-1fcy5UPRwNcc7sve4c1L-cas> >> >> >> [Client.php:3015] >> F3DE .| | | | Authentication failure: PT not validated >> [Client.php:3016] >> F3DE .| | | | Reason: no response from the CAS server >> [Client.php:3018] >> F3DE .| | | | exit() >> >> You aren't properly validating your service ticket because the >> CURL failed. >> >> "URLE_SSL_CONNECT_ERROR (35) >> >> A problem occurred somewhere in the SSL/TLS handshake. You >> really want >> the error buffer and read the message there as it pinpoints the >> problem >> slightly more. Could be certificates (file formats, paths, >> permissions), >> passwords, and others." >> Source: >> http://curl.haxx.se/libcurl/c/**__libcurl-errors.html<http://curl.haxx.se/libcurl/c/__libcurl-errors.html> >> >> <http://curl.haxx.se/libcurl/**c/libcurl-errors.html<http://curl.haxx.se/libcurl/c/libcurl-errors.html> >> > >> >> I'm guessing it's a certificate issue. What do you see in cas.log? >> >> Matt >> >> >> >> >> >> -- >> You are currently subscribed to [email protected] >> <mailto:[email protected].**org <[email protected]>> as: >> khurram.shahzad@zeptosystems._**_com >> >> <mailto:khurram.shahzad@**zeptosystems.com<[email protected]> >> > >> To unsubscribe, change settings or access archives, see >> >> http://www.ja-sig.org/wiki/__**display/JSG/cas-user<http://www.ja-sig.org/wiki/__display/JSG/cas-user> >> >> <http://www.ja-sig.org/wiki/**display/JSG/cas-user<http://www.ja-sig.org/wiki/display/JSG/cas-user> >> > >> >> >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/**display/JSG/cas-user<http://www.ja-sig.org/wiki/display/JSG/cas-user> >> >> > > -- > You are currently subscribed to [email protected] as: > khurram.shahzad@zeptosystems.**com <[email protected]> > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/**display/JSG/cas-user<http://www.ja-sig.org/wiki/display/JSG/cas-user> > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
