Hi, Aaron,
I thought I was the only one dealing with the same issue. I am getting the same error on a CAS-enabled app after we disabled SSLv3 support in the load balancer that sits in front of our CAS servers. So far it seems to only affect the CAS client. I have upgraded to JDK 7u72 and added -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 to the JVM command line, but still get the same error message. My guess is that the limited set of ciphers supported by the load balancer doesn't match the default ciphers enabled in the JVM. I'm still looking at what values the https.cipherSuites system property accepts in order to configure it accordingly. Best regards, -- Carlos. From: Aaron Eidt [mailto:[email protected]] Sent: Monday, 20 October, 2014 11:50 To: [email protected] Subject: [cas-user] CAS 3.5.2 and CVE-2014-3566, POODLE I've attempted to change tomcat config to disable SSLv3 and when I do I get the following exception trying to login to CAS service management (not immediately, after a few minutes and sometimes after updated the second host). Adding sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to SSL connector has worked an several other Tomcat installations. Here is more detail about my setup: CAS version: 3.5.2 Tomcat Version: 7.0.37.0 OS Name: Linux OS Version: 2.6.32-358.0.1.el6.x86_64 Architecture: amd64 JVM Version: 1.6.0_24-b24 JVM Vendor: Sun Microsystems Inc. Have 2 app servers behind load balancer but SSL is done by Tomcat java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.ja va:341) org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.ja va:305) org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator .retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.jav a:50) org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(A bstractUrlBasedTicketValidator.java:207) org.springframework.security.cas.authentication.CasAuthenticationProvider. authenticateNow(CasAuthenticationProvider.java:140) org.springframework.security.cas.authentication.CasAuthenticationProvider. authenticate(CasAuthenticationProvider.java:126) org.springframework.security.authentication.ProviderManager.authenticate(P roviderManager.java:156) org.springframework.security.cas.web.CasAuthenticationFilter.attemptAuthen tication(CasAuthenticationFilter.java:242) org.springframework.security.web.authentication.AbstractAuthenticationProc essingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:194) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFil ter(FilterChainProxy.java:323) org.springframework.security.web.authentication.logout.LogoutFilter.doFilt er(LogoutFilter.java:105) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFil ter(FilterChainProxy.java:323) org.springframework.security.web.context.SecurityContextPersistenceFilter. doFilter(SecurityContextPersistenceFilter.java:87) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFil ter(FilterChainProxy.java:323) org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProx y.java:173) org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(Delega tingFilterProxy.java:346) org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFi lterProxy.java:259) com.github.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(Client InfoThreadLocalFilter.java:63) root cause javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure sun.security.ssl.Alerts.getSSLException(Alerts.java:192) sun.security.ssl.Alerts.getSSLException(Alerts.java:154) sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1748) sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:991) sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java: 1175) sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1202) sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1186) sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:440) sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Abst ractDelegateHttpsURLConnection.java:185) sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnecti on.java:1139) sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLC onnectionImpl.java:254) org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.ja va:326) org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.ja va:305) org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator .retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.jav a:50) org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(A bstractUrlBasedTicketValidator.java:207) org.springframework.security.cas.authentication.CasAuthenticationProvider. authenticateNow(CasAuthenticationProvider.java:140) org.springframework.security.cas.authentication.CasAuthenticationProvider. authenticate(CasAuthenticationProvider.java:126) org.springframework.security.authentication.ProviderManager.authenticate(P roviderManager.java:156) org.springframework.security.cas.web.CasAuthenticationFilter.attemptAuthen tication(CasAuthenticationFilter.java:242) org.springframework.security.web.authentication.AbstractAuthenticationProc essingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:194) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFil ter(FilterChainProxy.java:323) org.springframework.security.web.authentication.logout.LogoutFilter.doFilt er(LogoutFilter.java:105) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFil ter(FilterChainProxy.java:323) org.springframework.security.web.context.SecurityContextPersistenceFilter. doFilter(SecurityContextPersistenceFilter.java:87) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFil ter(FilterChainProxy.java:323) org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProx y.java:173) org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(Delega tingFilterProxy.java:346) org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFi lterProxy.java:259) com.github.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(Client InfoThreadLocalFilter.java:63) Thanks, Aaron -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
