The `https.protocols` system property is only used to direct the client to use a particular set of protocols, not to change the protocols supported by the server. You’ll need to add it to the client server, along with the `sslEnabledProtocols` to say which protocols to support on your server.
-Jj On Oct 20, 2014, at 11:32 AM, Aaron Eidt <[email protected]> wrote: > Thanks, > > Adding '-Dhttps.protocols=TLSv1' to tomcat startup didn't disable SSLv3 > (openssl.exe s_client -connect HOSTNAME:443 -ssl3 still successfully > connects). I am using a load balancer but it is configured as an SSL Bridge > in this case so that all SSL traffic gets passed through to the backend > hosts. I have a similar setup with Shibboleth and the Tomcat change works > without issue there. > > Thanks Again, > Aaron > > On 10/20/2014 12:21 PM, Jonathan Johnson wrote: >> A quick way to check what might be available on your load balancer is to run >> it through something like [https://www.ssllabs.com/ssltest/]. After the >> test, you should see what protocols are supported by the load balancer. >> >> -Jj >> >> On Oct 20, 2014, at 11:08 AM, Carlos Fernandez <[email protected]> wrote: >> >>> Hi, Aaron, >>> >>> I thought I was the only one dealing with the same issue. I am getting the >>> same error on a CAS-enabled app after we disabled SSLv3 support in the load >>> balancer that sits in front of our CAS servers. So far it seems to only >>> affect the CAS client. >>> >>> I have upgraded to JDK 7u72 and added >>> –Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 to the JVM command line, but still >>> get the same error message. My guess is that the limited set of ciphers >>> supported by the load balancer doesn’t match the default ciphers enabled in >>> the JVM. I’m still looking at what values the https.cipherSuites system >>> property accepts in order to configure it accordingly. >>> >>> Best regards, >>> -- >>> Carlos. >>> >>> From: Aaron Eidt [mailto:[email protected]] >>> Sent: Monday, 20 October, 2014 11:50 >>> To: [email protected] >>> Subject: [cas-user] CAS 3.5.2 and CVE-2014-3566, POODLE >>> >>> I've attempted to change tomcat config to disable SSLv3 and when I do I get >>> the following exception trying to login to CAS service management (not >>> immediately, after a few minutes and sometimes after updated the second >>> host). Adding sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to SSL connector >>> has worked an several other Tomcat installations. >>> >>> Here is more detail about my setup: >>> CAS version: 3.5.2 >>> Tomcat Version: 7.0.37.0 >>> OS Name: Linux >>> OS Version: 2.6.32-358.0.1.el6.x86_64 >>> Architecture: amd64 >>> JVM Version: 1.6.0_24-b24 >>> JVM Vendor: Sun Microsystems Inc. >>> >>> Have 2 app servers behind load balancer but SSL is done by Tomcat >>> >>> java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: Received >>> fatal alert: handshake_failure >>> >>> org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:341) >>> >>> org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305) >>> >>> org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:50) >>> >>> org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207) >>> >>> org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticateNow(CasAuthenticationProvider.java:140) >>> >>> org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticate(CasAuthenticationProvider.java:126) >>> >>> org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156) >>> >>> org.springframework.security.cas.web.CasAuthenticationFilter.attemptAuthentication(CasAuthenticationFilter.java:242) >>> >>> org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:194) >>> >>> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) >>> >>> org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105) >>> >>> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) >>> >>> org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) >>> >>> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) >>> >>> org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173) >>> >>> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) >>> >>> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259) >>> >>> com.github.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:63) >>> root cause >>> >>> javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure >>> sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >>> sun.security.ssl.Alerts.getSSLException(Alerts.java:154) >>> sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1748) >>> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:991) >>> >>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1175) >>> >>> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1202) >>> >>> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1186) >>> >>> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:440) >>> >>> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) >>> >>> sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1139) >>> >>> sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254) >>> >>> org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:326) >>> >>> org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305) >>> >>> org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:50) >>> >>> org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207) >>> >>> org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticateNow(CasAuthenticationProvider.java:140) >>> >>> org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticate(CasAuthenticationProvider.java:126) >>> >>> org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156) >>> >>> org.springframework.security.cas.web.CasAuthenticationFilter.attemptAuthentication(CasAuthenticationFilter.java:242) >>> >>> org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:194) >>> >>> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) >>> >>> org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105) >>> >>> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) >>> >>> org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) >>> >>> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) >>> >>> org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173) >>> >>> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) >>> >>> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259) >>> >>> com.github.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:63) >>> >>> >>> Thanks, >>> Aaron >>> >>> -- >>> You are currently subscribed to [email protected] as: >>> [email protected] >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> -- >>> You are currently subscribed to [email protected] as: >>> [email protected] >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> -- >> You are currently subscribed to [email protected] as: [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
