We had to set the following in our Tomcat server.xml:
sslProtocols="SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2"
I captured packets from our hardware load balancer (a Brocade ADX1000).
It uses an SSLv2Hello handshake, so without SSLv2Hello in the protocol
list, it wouldn't bring the port up.
Andy
On Mon, 20 Oct 2014, Sean Baker wrote:
> Sorry, I was only meaning to substantiate where the issue was likely
> coming from and how to work around it, I didn’t mean to suggest actually
> re-enabling an insecure protocol. That said, SSLv2Hello is not
> something which I know to itself be vulnerable. SSLv2 (a distinct
> option) is of course incredibly insecure, and SSLv3 has POODLE, so both
> should be disabled IMO, but I’m not aware of a viable attack leveraging
> SSLv2Hello.
>
> In any case, I would try turning on the Hello to see if this helps to
> resolve the issue. Cipher mismatch could still be; it just seems weird
> to me that without explicitly configuring the allowed ciphers that there
> could be such a failed mismatch even with a major Java version
> difference.
>
>
> --
> Ne Desit Virtus,
>
> Sean R. Baker
> 1LT, MS
> United States Army
> Office #: (301) 319-0712
> Email: [email protected]
>
> On Oct 20, 2014, at 12:54 PM, Aaron Eidt <[email protected]> wrote:
>
>> Correct me if I'm wrong but doesn't that post suggest to enable both SSLv3
>> and SSLv2Hello? Both of which are vulnerable?
>>
>> If I run with just a single host in the farm things appear to work fine. As
>> soon as I bring up the second host the LB drops both from the farm as down.
>> However, if I set my /etc/hosts to point directly to either of the CAS
>> servers I get the login page, it authenticates me and then throws the error.
>> To recover I need to back out of the config on both CAS servers, then the LB
>> will see them as up again. Also, during the time that they are in the 'down
>> state' I can sucessfully authentication/access into a cas-ified apache
>> instance, but not the service management.
>>
>> Thanks,
>> Aaron
>>
>> On 10/20/2014 12:34 PM, Sean Baker wrote:
>>> Try the below:
>>>
>>> https://mail-archives.apache.org/mod_mbox/tomcat-users/201302.mbox/%[email protected]%3E
>>>
>>> It’s a bit of a guess, but it’s also the most common reason why we’ve seen
>>> that here.
>>>
>>> We’ve had Java 6 and 7 clients reaching out to our instance for ticket
>>> validation and have never had a cipher mismatch; that said, we run with the
>>> unlimited JCE installed on the server so that may be something to consider
>>> as you’re looking for newer TLS-compatible ciphers to use.
>>>
>>>
>>> --
>>> Ne Desit Virtus,
>>>
>>> Sean R. Baker
>>> 1LT, MS
>>> United States Army
>>> Office #: (301) 319-0712
>>> Email: [email protected]
>>>
>>> On Oct 20, 2014, at 12:08 PM, Carlos Fernandez <[email protected]> wrote:
>>>
>>>> Hi, Aaron,
>>>>
>>>> I thought I was the only one dealing with the same issue. I am getting the
>>>> same error on a CAS-enabled app after we disabled SSLv3 support in the
>>>> load balancer that sits in front of our CAS servers. So far it seems to
>>>> only affect the CAS client.
>>>>
>>>> I have upgraded to JDK 7u72 and added
>>>> –Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 to the JVM command line, but still
>>>> get the same error message. My guess is that the limited set of ciphers
>>>> supported by the load balancer doesn’t match the default ciphers enabled
>>>> in the JVM. I’m still looking at what values the https.cipherSuites system
>>>> property accepts in order to configure it accordingly.
>>>>
>>>> Best regards,
>>>> --
>>>> Carlos.
>>>>
>>>> From: Aaron Eidt [mailto:[email protected]]
>>>> Sent: Monday, 20 October, 2014 11:50
>>>> To: [email protected]
>>>> Subject: [cas-user] CAS 3.5.2 and CVE-2014-3566, POODLE
>>>>
>>>> I've attempted to change tomcat config to disable SSLv3 and when I do I
>>>> get the following exception trying to login to CAS service management (not
>>>> immediately, after a few minutes and sometimes after updated the second
>>>> host). Adding sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to SSL connector
>>>> has worked an several other Tomcat installations.
>>>>
>>>> Here is more detail about my setup:
>>>> CAS version: 3.5.2
>>>> Tomcat Version: 7.0.37.0
>>>> OS Name: Linux
>>>> OS Version: 2.6.32-358.0.1.el6.x86_64
>>>> Architecture: amd64
>>>> JVM Version: 1.6.0_24-b24
>>>> JVM Vendor: Sun Microsystems Inc.
>>>>
>>>> Have 2 app servers behind load balancer but SSL is done by Tomcat
>>>>
>>>> java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: Received
>>>> fatal alert: handshake_failure
>>>>
>>>> org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:341)
>>>>
>>>> org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305)
>>>>
>>>> org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:50)
>>>>
>>>> org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207)
>>>>
>>>> org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticateNow(CasAuthenticationProvider.java:140)
>>>>
>>>> org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticate(CasAuthenticationProvider.java:126)
>>>>
>>>> org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
>>>>
>>>> org.springframework.security.cas.web.CasAuthenticationFilter.attemptAuthentication(CasAuthenticationFilter.java:242)
>>>>
>>>> org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:194)
>>>>
>>>> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
>>>>
>>>> org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
>>>>
>>>> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
>>>>
>>>> org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
>>>>
>>>> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
>>>>
>>>> org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173)
>>>>
>>>> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
>>>>
>>>> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
>>>>
>>>> com.github.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:63)
>>>> root cause
>>>>
>>>> javax.net.ssl.SSLHandshakeException: Received fatal alert:
>>>> handshake_failure
>>>> sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>>>> sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
>>>> sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1748)
>>>> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:991)
>>>>
>>>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1175)
>>>>
>>>> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1202)
>>>>
>>>> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1186)
>>>>
>>>> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:440)
>>>>
>>>> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
>>>>
>>>> sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1139)
>>>>
>>>> sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
>>>>
>>>> org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:326)
>>>>
>>>> org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305)
>>>>
>>>> org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:50)
>>>>
>>>> org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207)
>>>>
>>>> org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticateNow(CasAuthenticationProvider.java:140)
>>>>
>>>> org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticate(CasAuthenticationProvider.java:126)
>>>>
>>>> org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
>>>>
>>>> org.springframework.security.cas.web.CasAuthenticationFilter.attemptAuthentication(CasAuthenticationFilter.java:242)
>>>>
>>>> org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:194)
>>>>
>>>> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
>>>>
>>>> org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
>>>>
>>>> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
>>>>
>>>> org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
>>>>
>>>> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
>>>>
>>>> org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173)
>>>>
>>>> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
>>>>
>>>> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
>>>>
>>>> com.github.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:63)
>>>>
>>>>
>>>> Thanks,
>>>> Aaron
>>>>
>>>> --
>>>> You are currently subscribed to [email protected] as:
>>>> [email protected]
>>>> To unsubscribe, change settings or access archives, see
>>>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>>> --
>>>> You are currently subscribed to [email protected] as:
>>>> [email protected]
>>>> To unsubscribe, change settings or access archives, see
>>>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>>
>>> --
>>> You are currently subscribed to [email protected] as: [email protected]
>>> To unsubscribe, change settings or access archives, see
>>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>
>> --
>> You are currently subscribed to [email protected] as:
>> [email protected]
>> To unsubscribe, change settings or access archives, see
>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
>
> --
> You are currently subscribed to [email protected] as: [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
