Marvin, Thanks for the pointers. The issue is that the PeopleAdmin CAS client attempts to handshake using SSLv3, which is disabled by default in the 11.5 version for F5. They’re the only people that I know of that do that. It took a packet capture on the F5 to see this. I’ve enabled SSLv3 on our test CAS server and their client works fine (as expected). I’m attempting to get them to update their side, but, I’m not holding my breath on that. My guess is that they will start seeing more CAS servers where this will be an issue.
Thanks again, Chris On TueJun 24, 2014, at Tue Jun 24, 2014-9:01AM, Marvin Addison <[email protected]> wrote: >> we did apply an update to our F5 load balancer on 6/15, bringing it up to >> 15.1. > > Redirect loops are commonly caused by SSL handshake failures that are > handled poorly in the client. Did a cert change as part of the > upgrade? You'll have more luck troubleshooting the problem at the > client (PeopleAdmin) than the server since the client is the component > responsible for the redirect to get you to CAS. Have PA turn up their > logs and review carefully. Feel free to post excerpts and we'll try to > help you troubleshoot. > >> Has anyone else run into any weirdness like this that's using an F5? > > Doubtful the firmware update alone caused the problem, but maybe there > were some configuration changes, including certs, that happened > concurrently that are to blame. > > M > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
