For help troubleshooting all sorts of SSL problems in a JVM, check out [https://blogs.oracle.com/java-platform-group/entry/diagnosing_tls_ssl_and_https]. A quick thing to try to fix this would be to add `-Dhttps.protocols=TLSv1` when starting Tomcat (usually added to setenv.sh).
-Jj On Oct 20, 2014, at 10:50 AM, Aaron Eidt <[email protected]> wrote: > I've attempted to change tomcat config to disable SSLv3 and when I do I get > the following exception trying to login to CAS service management (not > immediately, after a few minutes and sometimes after updated the second > host). Adding sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to SSL connector > has worked an several other Tomcat installations. > > Here is more detail about my setup: > CAS version: 3.5.2 > Tomcat Version: 7.0.37.0 > OS Name: Linux > OS Version: 2.6.32-358.0.1.el6.x86_64 > Architecture: amd64 > JVM Version: 1.6.0_24-b24 > JVM Vendor: Sun Microsystems Inc. > > Have 2 app servers behind load balancer but SSL is done by Tomcat > > java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: Received > fatal alert: handshake_failure > > org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:341) > > org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305) > > org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:50) > > org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207) > > org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticateNow(CasAuthenticationProvider.java:140) > > org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticate(CasAuthenticationProvider.java:126) > > org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156) > > org.springframework.security.cas.web.CasAuthenticationFilter.attemptAuthentication(CasAuthenticationFilter.java:242) > > org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:194) > > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) > > org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105) > > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) > > org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) > > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) > > org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173) > > org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) > > org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259) > > com.github.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:63) > root cause > > javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure > sun.security.ssl.Alerts.getSSLException(Alerts.java:192) > sun.security.ssl.Alerts.getSSLException(Alerts.java:154) > sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1748) > sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:991) > > sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1175) > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1202) > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1186) > > sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:440) > > sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) > > sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1139) > > sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254) > > org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:326) > > org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305) > > org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:50) > > org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207) > > org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticateNow(CasAuthenticationProvider.java:140) > > org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticate(CasAuthenticationProvider.java:126) > > org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156) > > org.springframework.security.cas.web.CasAuthenticationFilter.attemptAuthentication(CasAuthenticationFilter.java:242) > > org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:194) > > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) > > org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105) > > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) > > org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) > > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) > > org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173) > > org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) > > org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259) > > com.github.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:63) > > > Thanks, > Aaron > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
