Welp, I found a solution to our problem.
We have Tomcat running behind Apache, using AJP between them. While the load balancer did get updated, the CAS client in our case was connecting directly to the servers instead of through the load balancer since it runs locally on the servers (/etc/hosts did it), and Apache had SSLv3 disabled. Since our users will always access CAS through the load balancer exclusively, we decided to turn SSLv3 back on in Apache to allow this local connection. Best regards, -- Carlos. From: Jonathan Johnson [mailto:[email protected]] Sent: Monday, 20 October, 2014 12:22 To: [email protected] Subject: Re: [cas-user] CAS 3.5.2 and CVE-2014-3566, POODLE A quick way to check what might be available on your load balancer is to run it through something like [https://www.ssllabs.com/ssltest/]. After the test, you should see what protocols are supported by the load balancer. -Jj On Oct 20, 2014, at 11:08 AM, Carlos Fernandez <[email protected]> wrote: Hi, Aaron, I thought I was the only one dealing with the same issue. I am getting the same error on a CAS-enabled app after we disabled SSLv3 support in the load balancer that sits in front of our CAS servers. So far it seems to only affect the CAS client. I have upgraded to JDK 7u72 and added -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 to the JVM command line, but still get the same error message. My guess is that the limited set of ciphers supported by the load balancer doesn't match the default ciphers enabled in the JVM. I'm still looking at what values the https.cipherSuites system property accepts in order to configure it accordingly. Best regards, -- Carlos. From: Aaron Eidt [mailto:[email protected]] Sent: Monday, 20 October, 2014 11:50 To: [email protected] Subject: [cas-user] CAS 3.5.2 and CVE-2014-3566, POODLE I've attempted to change tomcat config to disable SSLv3 and when I do I get the following exception trying to login to CAS service management (not immediately, after a few minutes and sometimes after updated the second host). Adding sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to SSL connector has worked an several other Tomcat installations. Here is more detail about my setup: CAS version: 3.5.2 Tomcat Version: 7.0.37.0 OS Name: Linux OS Version: 2.6.32-358.0.1.el6.x86_64 Architecture: amd64 JVM Version: 1.6.0_24-b24 JVM Vendor: Sun Microsystems Inc. Have 2 app servers behind load balancer but SSL is done by Tomcat java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.ja va:341) org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.ja va:305) org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator .retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.jav a:50) org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(A bstractUrlBasedTicketValidator.java:207) org.springframework.security.cas.authentication.CasAuthenticationProvider. authenticateNow(CasAuthenticationProvider.java:140) org.springframework.security.cas.authentication.CasAuthenticationProvider. authenticate(CasAuthenticationProvider.java:126) org.springframework.security.authentication.ProviderManager.authenticate(P roviderManager.java:156) org.springframework.security.cas.web.CasAuthenticationFilter.attemptAuthen tication(CasAuthenticationFilter.java:242) org.springframework.security.web.authentication.AbstractAuthenticationProc essingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:194) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFil ter(FilterChainProxy.java:323) org.springframework.security.web.authentication.logout.LogoutFilter.doFilt er(LogoutFilter.java:105) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFil ter(FilterChainProxy.java:323) org.springframework.security.web.context.SecurityContextPersistenceFilter. doFilter(SecurityContextPersistenceFilter.java:87) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFil ter(FilterChainProxy.java:323) org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProx y.java:173) org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(Delega tingFilterProxy.java:346) org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFi lterProxy.java:259) com.github.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(Client InfoThreadLocalFilter.java:63) root cause javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure sun.security.ssl.Alerts.getSSLException(Alerts.java:192) sun.security.ssl.Alerts.getSSLException(Alerts.java:154) sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1748) sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:991) sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java: 1175) sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1202) sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1186) sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:440) sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Abst ractDelegateHttpsURLConnection.java:185) sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnecti on.java:1139) sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLC onnectionImpl.java:254) org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.ja va:326) org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.ja va:305) org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator .retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.jav a:50) org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(A bstractUrlBasedTicketValidator.java:207) org.springframework.security.cas.authentication.CasAuthenticationProvider. authenticateNow(CasAuthenticationProvider.java:140) org.springframework.security.cas.authentication.CasAuthenticationProvider. authenticate(CasAuthenticationProvider.java:126) org.springframework.security.authentication.ProviderManager.authenticate(P roviderManager.java:156) org.springframework.security.cas.web.CasAuthenticationFilter.attemptAuthen tication(CasAuthenticationFilter.java:242) org.springframework.security.web.authentication.AbstractAuthenticationProc essingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:194) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFil ter(FilterChainProxy.java:323) org.springframework.security.web.authentication.logout.LogoutFilter.doFilt er(LogoutFilter.java:105) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFil ter(FilterChainProxy.java:323) org.springframework.security.web.context.SecurityContextPersistenceFilter. doFilter(SecurityContextPersistenceFilter.java:87) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFil ter(FilterChainProxy.java:323) org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProx y.java:173) org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(Delega tingFilterProxy.java:346) org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFi lterProxy.java:259) com.github.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(Client InfoThreadLocalFilter.java:63) Thanks, Aaron -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
