Re:[cas-user] CAS 3.5: X509CertificateCredentialsToSubjectPrinciplalResolver not resolving Certificate

Mon, 10 Dec 2012 11:27:40 -0800 

I have set up SSL debug. I see a few things but it appears that everything is
working fine. There are some items like:

*** ClientHello, TLSv1
RandomCookie:  GMT: 1338302492 bytes = { 172, 91, 240, 114, 109, 251, 133,
7, 153, 136, 56, 60, 156, 220, 128, 192, 18, 208, 79, 88, 183, 228, 113, 51,
180, 34, 177, 21 }
Session ID:  {80, 197, 224, 27, 153, 5, 188, 20, 119, 253, 178, 94, 4, 212,
2, 116, 183, 108, 194, 198, 131, 198, 87, 195, 99, 192, 36, 92, 135, 23,
154, 46}
Cipher Suites: [TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA,
SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5]
Compression Methods:  { 0 }
Extension renegotiation_info, renegotiated_connection: <empty>
Extension server_name, server_name: [host_name: ndrhel57ozne01]
Unsupported extension status_request, data: 01:00:00:00:00
Extension elliptic_curves, curve names: {secp256r1, secp384r1}
Extension ec_point_formats, formats: [uncompressed]
***
%% Resuming [Session-4, TLS_RSA_WITH_AES_128_CBC_SHA]
*** ServerHello, TLSv1
RandomCookie:  GMT: 1338302493 bytes = { 96, 207, 255, 241, 207, 230, 0,
202, 8, 72, 213, 23, 199, 49, 172, 12, 138, 215, 53, 150, 89, 20, 103, 71,
170, 108, 35, 169 }
Session ID:  {80, 197, 224, 27, 153, 5, 188, 20, 119, 253, 178, 94, 4, 212,
2, 116, 183, 108, 194, 198, 131, 198, 87, 195, 99, 192, 36, 92, 135, 23,
154, 46}
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
Cipher suite:  TLS_RSA_WITH_AES_128_CBC_SHA
CONNECTION KEYGEN:
Client Nonce:
0000: 50 C5 E0 1C AC 5B F0 72   6D FB 85 07 99 88 38 3C  P....[.rm.....8<
0010: 9C DC 80 C0 12 D0 4F 58   B7 E4 71 33 B4 22 B1 15  ......OX..q3."..
Server Nonce:
0000: 50 C5 E0 1D 60 CF FF F1   CF E6 00 CA 08 48 D5 17  P...`........H..
0010: C7 31 AC 0C 8A D7 35 96   59 14 67 47 AA 6C 23 A9  .1....5.Y.gG.l#.
Master Secret:
0000: AD 6E 41 AA C4 28 BA 93   A7 C2 48 0A 7B B8 7E 46  .nA..(....H....F
0010: C0 A7 7B 09 7A 62 89 69   CC BC 41 0E E1 5D 5C 46  ....zb.i..A..]\F
0020: A2 5F CD BD 1A 2C 74 C1   48 53 00 50 F3 D5 00 60  ._...,t.HS.P...`
Client MAC write Secret:
0000: 69 DC CD 9E F6 A7 65 AA   D3 5E 5C AD 59 67 32 39  i.....e..^\.Yg29
0010: E4 2F 4E A1                                        ./N.
Server MAC write Secret:
0000: D4 96 12 B8 01 63 DE A0   CF E1 95 79 78 E2 39 FA  .....c.....yx.9.
0010: 02 3F 0E 94                                        .?..
Client write key:
0000: DA CC 37 CC 40 39 50 04   C5 63 9A 23 B3 54 BD 8F  [email protected].#.T..
Server write key:
0000: 2E 5A 88 B7 4D C3 3E E6   DA 9C 60 BB C1 91 B6 2A  .Z..M.>...`....*
Client write IV:
0000: C8 E7 F5 0B 20 B0 08 A7   69 78 9C CE FD BF F7 11  .... ...ix......
Server write IV:
0000: BE 18 E6 6D 98 BC 7E 44   23 C6 E6 D4 B2 C3 81 78  ...m...D#......x
http-bio-8443-exec-5, WRITE: TLSv1 Handshake, length = 81
http-bio-8443-exec-5, WRITE: TLSv1 Change Cipher Spec, length = 1
*** Finished
verify_data:  { 142, 111, 178, 200, 193, 16, 144, 27, 6, 184, 98, 104 }
***
http-bio-8443-exec-5, WRITE: TLSv1 Handshake, length = 48
http-bio-8443-exec-5, READ: TLSv1 Change Cipher Spec, length = 1
http-bio-8443-exec-5, READ: TLSv1 Handshake, length = 48
*** Finished
verify_data:  { 19, 21, 102, 116, 66, 57, 161, 231, 104, 66, 242, 32 }
***

and then see something like this:

***
Found trusted certificate:
[
[
  Version: V3
  Subject: CN=DOD CA-24, OU=PKI, OU=DoD, O=U.S. Government, C=US
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 2048 bits
  modulus:
24506346668316482469861999437346301434806061487468422171467511583222436611567651541135396657097984283944187842728549422023515709417361150494897426950484114494397577469587635755001618559487425306766318460450145834101175748784374577886504343249314100711835142561526064068630276961848484736394436366453578402325834331350836020744313114394935308108202483807999491254927371776219756941757693223135237788501430868139358549045673877538635744490124958675355071514139415126160054791049096994291811606421310276399506220475524574421216112580267876575108868593082745491307923139888026821473008870283499945432062539839125844307457
  public exponent: 65537
  Validity: [From: Mon Jan 26 15:23:11 EST 2009,
               To: Sun Jan 25 15:23:11 EST 2015]
  Issuer: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US
  SerialNumber: [    47]


Which leads me to believe that things are going fine. However, I am not able
to see anything in the *cas.log *indicating:

*DEBUG
[org.jasig.cas.adaptors.x509.web.flow.X509CertificateCredentialsNonInteractiveAction]
- Certificates not found in request.* 

I have tried removing the spaces from the trustedIssuerDnPattern and no new
results.

Please pardon my lack of knowledge in the realm of 2 way SSL.

If you have any other ideas of what may be going on, please let me know.

Thanks for your help previously and in advance .




--
View this message in context: 
http://jasig.275507.n4.nabble.com/CAS-3-5-X509CertificateCredentialsToSubjectPrinciplalResolver-not-resolving-Certificate-tp4657101p4657154.html
Sent from the CAS Users mailing list archive at Nabble.com.

-- 
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Reply via email to