Hi Carlos, Thanks for the update and glad you solved your issue. Unfortunately for me I'm not running apache in front of tomcat.
Thanks, Aaron On 10/20/2014 12:34 PM, Carlos Fernandez wrote: > > Welp, I found a solution to our problem. > > We have Tomcat running behind Apache, using AJP between them. While > the load balancer did get updated, the CAS client in our case was > connecting directly to the servers instead of through the load > balancer since it runs locally on the servers (/etc/hosts did it), and > Apache had SSLv3 disabled. Since our users will always access CAS > through the load balancer exclusively, we decided to turn SSLv3 back > on in Apache to allow this local connection. > > Best regards, > > -- > > Carlos. > > *From:*Jonathan Johnson [mailto:[email protected]] > *Sent:* Monday, 20 October, 2014 12:22 > *To:* [email protected] > *Subject:* Re: [cas-user] CAS 3.5.2 and CVE-2014-3566, POODLE > > A quick way to check what might be available on your load balancer is > to run it through something like [https://www.ssllabs.com/ssltest/]. > After the test, you should see what protocols are supported by the > load balancer. > > -Jj > > On Oct 20, 2014, at 11:08 AM, Carlos Fernandez <[email protected] > <mailto:[email protected]>> wrote: > > > > Hi, Aaron, > > I thought I was the only one dealing with the same issue. I am getting > the same error on a CAS-enabled app after we disabled SSLv3 support in > the load balancer that sits in front of our CAS servers. So far it > seems to only affect the CAS client. > > I have upgraded to JDK 7u72 and added > --Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 to the JVM command line, but > still get the same error message. My guess is that the limited set of > ciphers supported by the load balancer doesn't match the default > ciphers enabled in the JVM. I'm still looking at what values the > https.cipherSuites system property accepts in order to configure it > accordingly. > > Best regards, > > -- > > Carlos. > > *From:*Aaron Eidt [mailto:[email protected]] > *Sent:*Monday, 20 October, 2014 11:50 > *To:*[email protected] <mailto:[email protected]> > *Subject:*[cas-user] CAS 3.5.2 and CVE-2014-3566, POODLE > > I've attempted to change tomcat config to disable SSLv3 and when I do > I get the following exception trying to login to CAS service > management (not immediately, after a few minutes and sometimes after > updated the second host). Adding > sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to SSL connector has > worked an several other Tomcat installations. > > Here is more detail about my setup: > CAS version: 3.5.2 > Tomcat Version: 7.0.37.0 > OS Name: Linux > OS Version: 2.6.32-358.0.1.el6.x86_64 > Architecture: amd64 > JVM Version: 1.6.0_24-b24 > JVM Vendor: Sun Microsystems Inc. > > Have 2 app servers behind load balancer but SSL is done by Tomcat > > java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: Received > fatal alert: handshake_failure > > org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:341) > > org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305) > > org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:50) > > org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207) > > org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticateNow(CasAuthenticationProvider.java:140) > > org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticate(CasAuthenticationProvider.java:126) > > org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156) > > org.springframework.security.cas.web.CasAuthenticationFilter.attemptAuthentication(CasAuthenticationFilter.java:242) > > org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:194) > > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) > > org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105) > > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) > > org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) > > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) > > org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173) > > org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) > > org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259) > > com.github.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:63) > > *root cause* > > javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure > sun.security.ssl.Alerts.getSSLException(Alerts.java:192) > sun.security.ssl.Alerts.getSSLException(Alerts.java:154) > sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1748) > sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:991) > > sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1175) > > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1202) > > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1186) > > sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:440) > > sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) > > sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1139) > > sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254) > > org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:326) > > org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305) > > org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:50) > > org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207) > > org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticateNow(CasAuthenticationProvider.java:140) > > org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticate(CasAuthenticationProvider.java:126) > > org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156) > > org.springframework.security.cas.web.CasAuthenticationFilter.attemptAuthentication(CasAuthenticationFilter.java:242) > > org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:194) > > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) > > org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105) > > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) > > org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) > > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) > > org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173) > > org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) > > org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259) > > com.github.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:63) > > > > Thanks, > Aaron > > > -- > You are currently subscribed [email protected] > <mailto:[email protected]> as:[email protected] > <mailto:[email protected]> > To unsubscribe, change settings or access archives, > seehttp://www.ja-sig.org/wiki/display/JSG/cas-user > -- > You are currently subscribed [email protected] > <mailto:[email protected]> as:[email protected] > <mailto:[email protected]> > To unsubscribe, change settings or access archives, > seehttp://www.ja-sig.org/wiki/display/JSG/cas-user > > > -- > You are currently subscribed [email protected] > <mailto:[email protected]> as:[email protected] > <mailto:[email protected]> > To unsubscribe, change settings or access archives, > seehttp://www.ja-sig.org/wiki/display/JSG/cas-user > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
