Marvin/Michael, Thank you both.The hint on "plain HTTP" got me to looking more carefully. Actually there was an error in a context listener (unrelated to CAS) and the context for the webapp was not starting. After fixing that, it's working.
Michael, thanks for the tip about the JCE extension. I replaced the current local_policy and US_local_policy.jar with the versions from Oracle's website. The number of "Ignoring unavailable cipher suite" messages went down from 38, but only to 36. Is there some trick I'm missing? Here they are: http-bio-8443-Acceptor-0, setSoTimeout(60000) called Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_RC4_128_SHA Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for SSLv2Hello Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for SSLv2Hello Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for SSLv2Hello Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for SSLv3 Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for SSLv3 Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for SSLv3 Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1 Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1 Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1 Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1 Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1 Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1 http-bio-8443-exec-9, READ: TLSv1 Handshake, length = 258 Thank you again - Richard On Wed, Feb 5, 2014 at 8:10 AM, michael maceachran <[email protected]>wrote: > Change http://portal.acmeinc.com/CH/index.jsp To HTTPS:// > > I don't understand the stack trace, but when you download those 6 control > characters, you a accessing a SSL port with http. > Either change the port to a non-SSL or use https > > Hope this helps! > > > On Wednesday, February 5, 2014 12:06 AM, Richard Mixon < > [email protected]> wrote: > After getting the various pieces to work piecemeal in a development > environment I am trying to integrate in a production environment and > running into the above problem. > > Here are the pieces, all on CENTOS 6.4 with Java 7: > > - Apache HTTPD running a single virtual host that runs a wordpress > website. Uses a commercial SSL certificate > - Tomcat 7, SSL sefl-signed on port 8443 with the following web > applications: > - CAS > - CH, an line-of-business monitoring application. > > The WordPress site virtual host is httpd configuration uses mod_proxy to > proxy CAS and CH requests to Tomcat. Before introducing CAS I can get to > each application without issue: > > - CAS at http://portal.acmeinc.com/CAS/* > - CH at http://portal.acmeinc.com/CH/* > - Wordpress at http://portal.acmeinc.com/* > > I've setup my keystore and trustore correctly I believe. > > I can login successfully to CAS, e.g. to: > http://portal.acmeinc.com/cas/services > > I've turned on SSL debugging per this guide: > > https://wiki.jasig.org/display/casum/ssl+troubleshooting+and+reference+guide > > When I try http://portal.acmeinc.com/CH/index.jsp I end up getting the > above exception. Here is the output of the log. > > 2014-02-04 21:41:06,469 INFO > [org.jasig.cas.services.DefaultServicesManagerImpl] - <Loaded 4 services.> > Allow unsafe renegotiation: false > Allow legacy hello messages: true > Is initial handshake: true > Is secure renegotiation: false > http-bio-8443-Acceptor-0, setSoTimeout(60000) called > Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA > Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA > Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA > Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA > Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA > Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA > Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 > Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA > Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA > Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA > Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 > Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA > Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA > Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_RC4_128_SHA > Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 > Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA > Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA > Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA > Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA > Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 > Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 > Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 > Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 > Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for > SSLv2Hello > Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for > SSLv2Hello > Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for > SSLv2Hello > Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 > Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA > Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for > SSLv3 > Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA > Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for > SSLv3 > Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for > SSLv3 > Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for > TLSv1 > Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for > TLSv1 > Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for > TLSv1 > Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for > TLSv1.1 > Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for > TLSv1.1 > Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for > TLSv1.1 > http-bio-8443-exec-1, handling exception: javax.net.ssl.SSLException: > Unrecognized SSL message, plaintext connection? > http-bio-8443-exec-1, SEND TLSv1 ALERT: fatal, description = > unexpected_message > http-bio-8443-exec-1, WRITE: TLSv1 Alert, length = 2 > http-bio-8443-exec-1, called closeSocket() > http-bio-8443-exec-1, IOException in getSession(): > javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection? > http-bio-8443-exec-1, called close() > http-bio-8443-exec-1, called closeInternal(true) > 2014-02-04 21:43:06,438 INFO > [org.jasig.cas.services.DefaultServicesManagerImpl] - <Reloading registered > services.> > > Also, the browser I'm using attempts to download the file, which is only > six control characters: > NAK ETX SOH NUL STX STX > > Any iideas or hints on solving this are appreciated. > > Thank you - Richard > > -- > Richard Mixon > Custom Computer Creations, L.L.C. > mobile: (480) 577-6834 office: (480) 614-3442 > email: [email protected] <mailto:[email protected]> > Microsoft Partner ID: 1263725 > The messages and documents transmitted with this notice contain > confidential information belonging to the sender. If you are not the > intended recipient of this information, you are hereby notified that any > disclosure, copying, distribution or use of the information is strictly > prohibited. If you have received this transmission in error, please notify > the sender immediately. > > -- > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- Richard Mixon Custom Computer Creations, L.L.C. mobile: (480) 577-6834 office: (480) 614-3442 email: [email protected] <mailto:[email protected]> Microsoft Partner ID: 1263725 The messages and documents transmitted with this notice contain confidential information belonging to the sender. If you are not the intended recipient of this information, you are hereby notified that any disclosure, copying, distribution or use of the information is strictly prohibited. If you have received this transmission in error, please notify the sender immediately. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
