Thanks, Adding '-Dhttps.protocols=TLSv1' to tomcat startup didn't disable SSLv3 (openssl.exe s_client -connect HOSTNAME:443 -ssl3 still successfully connects). I am using a load balancer but it is configured as an SSL Bridge in this case so that all SSL traffic gets passed through to the backend hosts. I have a similar setup with Shibboleth and the Tomcat change works without issue there.
Thanks Again, Aaron On 10/20/2014 12:21 PM, Jonathan Johnson wrote: > A quick way to check what might be available on your load balancer is > to run it through something like [https://www.ssllabs.com/ssltest/]. > After the test, you should see what protocols are supported by the > load balancer. > > -Jj > > On Oct 20, 2014, at 11:08 AM, Carlos Fernandez <[email protected] > <mailto:[email protected]>> wrote: > >> Hi, Aaron, >> I thought I was the only one dealing with the same issue. I am >> getting the same error on a CAS-enabled app after we disabled SSLv3 >> support in the load balancer that sits in front of our CAS servers. >> So far it seems to only affect the CAS client. >> I have upgraded to JDK 7u72 and added >> –Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 to the JVM command line, but >> still get the same error message. My guess is that the limited set of >> ciphers supported by the load balancer doesn’t match the default >> ciphers enabled in the JVM. I’m still looking at what values the >> https.cipherSuites system property accepts in order to configure it >> accordingly. >> Best regards, >> -- >> Carlos. >> *From:*Aaron Eidt [mailto:[email protected]] >> *Sent:*Monday, 20 October, 2014 11:50 >> *To:*[email protected] <mailto:[email protected]> >> *Subject:*[cas-user] CAS 3.5.2 and CVE-2014-3566, POODLE >> >> I've attempted to change tomcat config to disable SSLv3 and when I do >> I get the following exception trying to login to CAS service >> management (not immediately, after a few minutes and sometimes after >> updated the second host). Adding >> sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to SSL connector has >> worked an several other Tomcat installations. >> >> Here is more detail about my setup: >> CAS version: 3.5.2 >> Tomcat Version: 7.0.37.0 >> OS Name: Linux >> OS Version: 2.6.32-358.0.1.el6.x86_64 >> Architecture: amd64 >> JVM Version: 1.6.0_24-b24 >> JVM Vendor: Sun Microsystems Inc. >> >> Have 2 app servers behind load balancer but SSL is done by Tomcat >> >> java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: Received >> fatal alert: handshake_failure >> >> org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:341) >> >> org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305) >> >> org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:50) >> >> org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207) >> >> org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticateNow(CasAuthenticationProvider.java:140) >> >> org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticate(CasAuthenticationProvider.java:126) >> >> org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156) >> >> org.springframework.security.cas.web.CasAuthenticationFilter.attemptAuthentication(CasAuthenticationFilter.java:242) >> >> org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:194) >> >> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) >> >> org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105) >> >> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) >> >> org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) >> >> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) >> >> org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173) >> >> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) >> >> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259) >> >> com.github.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:63) >> >> *root cause* >> >> javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure >> sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >> sun.security.ssl.Alerts.getSSLException(Alerts.java:154) >> sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1748) >> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:991) >> >> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1175) >> >> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1202) >> >> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1186) >> >> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:440) >> >> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) >> >> sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1139) >> >> sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254) >> >> org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:326) >> >> org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305) >> >> org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:50) >> >> org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207) >> >> org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticateNow(CasAuthenticationProvider.java:140) >> >> org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticate(CasAuthenticationProvider.java:126) >> >> org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156) >> >> org.springframework.security.cas.web.CasAuthenticationFilter.attemptAuthentication(CasAuthenticationFilter.java:242) >> >> org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:194) >> >> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) >> >> org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105) >> >> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) >> >> org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) >> >> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) >> >> org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173) >> >> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) >> >> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259) >> >> com.github.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:63) >> >> >> Thanks, >> Aaron >> >> -- >> You are currently subscribed [email protected] >> <mailto:[email protected]> as:[email protected] >> <mailto:[email protected]> >> To unsubscribe, change settings or access archives, >> seehttp://www.ja-sig.org/wiki/display/JSG/cas-user >> -- >> You are currently subscribed [email protected] >> <mailto:[email protected]> as:[email protected] >> <mailto:[email protected]> >> To unsubscribe, change settings or access archives, >> seehttp://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
