Sorry, I was only meaning to substantiate where the issue was likely coming from and how to work around it, I didn’t mean to suggest actually re-enabling an insecure protocol. That said, SSLv2Hello is not something which I know to itself be vulnerable. SSLv2 (a distinct option) is of course incredibly insecure, and SSLv3 has POODLE, so both should be disabled IMO, but I’m not aware of a viable attack leveraging SSLv2Hello.
In any case, I would try turning on the Hello to see if this helps to resolve the issue. Cipher mismatch could still be; it just seems weird to me that without explicitly configuring the allowed ciphers that there could be such a failed mismatch even with a major Java version difference. -- Ne Desit Virtus, Sean R. Baker 1LT, MS United States Army Office #: (301) 319-0712 Email: [email protected] On Oct 20, 2014, at 12:54 PM, Aaron Eidt <[email protected]> wrote: > Correct me if I'm wrong but doesn't that post suggest to enable both SSLv3 > and SSLv2Hello? Both of which are vulnerable? > > If I run with just a single host in the farm things appear to work fine. As > soon as I bring up the second host the LB drops both from the farm as down. > However, if I set my /etc/hosts to point directly to either of the CAS > servers I get the login page, it authenticates me and then throws the error. > To recover I need to back out of the config on both CAS servers, then the LB > will see them as up again. Also, during the time that they are in the 'down > state' I can sucessfully authentication/access into a cas-ified apache > instance, but not the service management. > > Thanks, > Aaron > > On 10/20/2014 12:34 PM, Sean Baker wrote: >> Try the below: >> >> https://mail-archives.apache.org/mod_mbox/tomcat-users/201302.mbox/%[email protected]%3E >> >> It’s a bit of a guess, but it’s also the most common reason why we’ve seen >> that here. >> >> We’ve had Java 6 and 7 clients reaching out to our instance for ticket >> validation and have never had a cipher mismatch; that said, we run with the >> unlimited JCE installed on the server so that may be something to consider >> as you’re looking for newer TLS-compatible ciphers to use. >> >> >> -- >> Ne Desit Virtus, >> >> Sean R. Baker >> 1LT, MS >> United States Army >> Office #: (301) 319-0712 >> Email: [email protected] >> >> On Oct 20, 2014, at 12:08 PM, Carlos Fernandez <[email protected]> wrote: >> >>> Hi, Aaron, >>> >>> I thought I was the only one dealing with the same issue. I am getting the >>> same error on a CAS-enabled app after we disabled SSLv3 support in the load >>> balancer that sits in front of our CAS servers. So far it seems to only >>> affect the CAS client. >>> >>> I have upgraded to JDK 7u72 and added >>> –Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 to the JVM command line, but still >>> get the same error message. My guess is that the limited set of ciphers >>> supported by the load balancer doesn’t match the default ciphers enabled in >>> the JVM. I’m still looking at what values the https.cipherSuites system >>> property accepts in order to configure it accordingly. >>> >>> Best regards, >>> -- >>> Carlos. >>> >>> From: Aaron Eidt [mailto:[email protected]] >>> Sent: Monday, 20 October, 2014 11:50 >>> To: [email protected] >>> Subject: [cas-user] CAS 3.5.2 and CVE-2014-3566, POODLE >>> >>> I've attempted to change tomcat config to disable SSLv3 and when I do I get >>> the following exception trying to login to CAS service management (not >>> immediately, after a few minutes and sometimes after updated the second >>> host). Adding sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to SSL connector >>> has worked an several other Tomcat installations. >>> >>> Here is more detail about my setup: >>> CAS version: 3.5.2 >>> Tomcat Version: 7.0.37.0 >>> OS Name: Linux >>> OS Version: 2.6.32-358.0.1.el6.x86_64 >>> Architecture: amd64 >>> JVM Version: 1.6.0_24-b24 >>> JVM Vendor: Sun Microsystems Inc. >>> >>> Have 2 app servers behind load balancer but SSL is done by Tomcat >>> >>> java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: Received >>> fatal alert: handshake_failure >>> >>> org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:341) >>> >>> org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305) >>> >>> org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:50) >>> >>> org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207) >>> >>> org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticateNow(CasAuthenticationProvider.java:140) >>> >>> org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticate(CasAuthenticationProvider.java:126) >>> >>> org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156) >>> >>> org.springframework.security.cas.web.CasAuthenticationFilter.attemptAuthentication(CasAuthenticationFilter.java:242) >>> >>> org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:194) >>> >>> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) >>> >>> org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105) >>> >>> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) >>> >>> org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) >>> >>> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) >>> >>> org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173) >>> >>> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) >>> >>> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259) >>> >>> com.github.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:63) >>> root cause >>> >>> javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure >>> sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >>> sun.security.ssl.Alerts.getSSLException(Alerts.java:154) >>> sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1748) >>> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:991) >>> >>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1175) >>> >>> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1202) >>> >>> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1186) >>> >>> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:440) >>> >>> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) >>> >>> sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1139) >>> >>> sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254) >>> >>> org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:326) >>> >>> org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305) >>> >>> org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:50) >>> >>> org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207) >>> >>> org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticateNow(CasAuthenticationProvider.java:140) >>> >>> org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticate(CasAuthenticationProvider.java:126) >>> >>> org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156) >>> >>> org.springframework.security.cas.web.CasAuthenticationFilter.attemptAuthentication(CasAuthenticationFilter.java:242) >>> >>> org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:194) >>> >>> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) >>> >>> org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105) >>> >>> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) >>> >>> org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) >>> >>> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) >>> >>> org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173) >>> >>> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) >>> >>> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259) >>> >>> com.github.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:63) >>> >>> >>> Thanks, >>> Aaron >>> >>> -- >>> You are currently subscribed to [email protected] as: >>> [email protected] >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> -- >>> You are currently subscribed to [email protected] as: >>> [email protected] >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> -- >> You are currently subscribed to [email protected] as: [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
