A quick way to check what might be available on your load balancer is to run it through something like [https://www.ssllabs.com/ssltest/]. After the test, you should see what protocols are supported by the load balancer.
-Jj On Oct 20, 2014, at 11:08 AM, Carlos Fernandez <[email protected]> wrote: > Hi, Aaron, > > I thought I was the only one dealing with the same issue. I am getting the > same error on a CAS-enabled app after we disabled SSLv3 support in the load > balancer that sits in front of our CAS servers. So far it seems to only > affect the CAS client. > > I have upgraded to JDK 7u72 and added –Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 > to the JVM command line, but still get the same error message. My guess is > that the limited set of ciphers supported by the load balancer doesn’t match > the default ciphers enabled in the JVM. I’m still looking at what values the > https.cipherSuites system property accepts in order to configure it > accordingly. > > Best regards, > -- > Carlos. > > From: Aaron Eidt [mailto:[email protected]] > Sent: Monday, 20 October, 2014 11:50 > To: [email protected] > Subject: [cas-user] CAS 3.5.2 and CVE-2014-3566, POODLE > > I've attempted to change tomcat config to disable SSLv3 and when I do I get > the following exception trying to login to CAS service management (not > immediately, after a few minutes and sometimes after updated the second > host). Adding sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to SSL connector > has worked an several other Tomcat installations. > > Here is more detail about my setup: > CAS version: 3.5.2 > Tomcat Version: 7.0.37.0 > OS Name: Linux > OS Version: 2.6.32-358.0.1.el6.x86_64 > Architecture: amd64 > JVM Version: 1.6.0_24-b24 > JVM Vendor: Sun Microsystems Inc. > > Have 2 app servers behind load balancer but SSL is done by Tomcat > > java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: Received > fatal alert: handshake_failure > > org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:341) > > org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305) > > org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:50) > > org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207) > > org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticateNow(CasAuthenticationProvider.java:140) > > org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticate(CasAuthenticationProvider.java:126) > > org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156) > > org.springframework.security.cas.web.CasAuthenticationFilter.attemptAuthentication(CasAuthenticationFilter.java:242) > > org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:194) > > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) > > org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105) > > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) > > org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) > > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) > > org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173) > > org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) > > org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259) > > com.github.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:63) > root cause > > javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure > sun.security.ssl.Alerts.getSSLException(Alerts.java:192) > sun.security.ssl.Alerts.getSSLException(Alerts.java:154) > sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1748) > sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:991) > > sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1175) > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1202) > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1186) > > sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:440) > > sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) > > sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1139) > > sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254) > > org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:326) > > org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305) > > org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:50) > > org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207) > > org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticateNow(CasAuthenticationProvider.java:140) > > org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticate(CasAuthenticationProvider.java:126) > > org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156) > > org.springframework.security.cas.web.CasAuthenticationFilter.attemptAuthentication(CasAuthenticationFilter.java:242) > > org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:194) > > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) > > org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105) > > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) > > org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) > > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) > > org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173) > > org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) > > org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259) > > com.github.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:63) > > > Thanks, > Aaron > > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
