Thanks! that worked!
Thank you to everyone for your help and suggestions!
Aaron
--
Aaron Eidt
Unix Systems Administrator
Information Technology Services
University of Western Ontario
[email protected]
On 10/20/2014 6:04 PM, Andrew Morgan wrote:
We had to set the following in our Tomcat server.xml:
sslProtocols="SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2"
I captured packets from our hardware load balancer (a Brocade ADX1000).
It uses an SSLv2Hello handshake, so without SSLv2Hello in the protocol
list, it wouldn't bring the port up.
Andy
On Mon, 20 Oct 2014, Sean Baker wrote:
Sorry, I was only meaning to substantiate where the issue was likely
coming from and how to work around it, I didn’t mean to suggest actually
re-enabling an insecure protocol. That said, SSLv2Hello is not
something which I know to itself be vulnerable. SSLv2 (a distinct
option) is of course incredibly insecure, and SSLv3 has POODLE, so both
should be disabled IMO, but I’m not aware of a viable attack leveraging
SSLv2Hello.
In any case, I would try turning on the Hello to see if this helps to
resolve the issue. Cipher mismatch could still be; it just seems weird
to me that without explicitly configuring the allowed ciphers that there
could be such a failed mismatch even with a major Java version
difference.
--
Ne Desit Virtus,
Sean R. Baker
1LT, MS
United States Army
Office #: (301) 319-0712
Email: [email protected]
On Oct 20, 2014, at 12:54 PM, Aaron Eidt <[email protected]> wrote:
Correct me if I'm wrong but doesn't that post suggest to enable both SSLv3 and
SSLv2Hello? Both of which are vulnerable?
If I run with just a single host in the farm things appear to work fine. As
soon as I bring up the second host the LB drops both from the farm as down.
However, if I set my /etc/hosts to point directly to either of the CAS servers
I get the login page, it authenticates me and then throws the error. To recover
I need to back out of the config on both CAS servers, then the LB will see them
as up again. Also, during the time that they are in the 'down state' I can
sucessfully authentication/access into a cas-ified apache instance, but not the
service management.
Thanks,
Aaron
On 10/20/2014 12:34 PM, Sean Baker wrote:
Try the below:
https://mail-archives.apache.org/mod_mbox/tomcat-users/201302.mbox/%[email protected]%3E
It’s a bit of a guess, but it’s also the most common reason why we’ve seen that
here.
We’ve had Java 6 and 7 clients reaching out to our instance for ticket
validation and have never had a cipher mismatch; that said, we run with the
unlimited JCE installed on the server so that may be something to consider as
you’re looking for newer TLS-compatible ciphers to use.
--
Ne Desit Virtus,
Sean R. Baker
1LT, MS
United States Army
Office #: (301) 319-0712
Email: [email protected]
On Oct 20, 2014, at 12:08 PM, Carlos Fernandez <[email protected]> wrote:
Hi, Aaron,
I thought I was the only one dealing with the same issue. I am getting the same
error on a CAS-enabled app after we disabled SSLv3 support in the load balancer
that sits in front of our CAS servers. So far it seems to only affect the CAS
client.
I have upgraded to JDK 7u72 and added –Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2
to the JVM command line, but still get the same error message. My guess is that
the limited set of ciphers supported by the load balancer doesn’t match the
default ciphers enabled in the JVM. I’m still looking at what values the
https.cipherSuites system property accepts in order to configure it accordingly.
Best regards,
--
Carlos.
From: Aaron Eidt [mailto:[email protected]]
Sent: Monday, 20 October, 2014 11:50
To: [email protected]
Subject: [cas-user] CAS 3.5.2 and CVE-2014-3566, POODLE
I've attempted to change tomcat config to disable SSLv3 and when I do I get the following
exception trying to login to CAS service management (not immediately, after a few minutes
and sometimes after updated the second host). Adding
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to SSL connector has worked an
several other Tomcat installations.
Here is more detail about my setup:
CAS version: 3.5.2
Tomcat Version: 7.0.37.0
OS Name: Linux
OS Version: 2.6.32-358.0.1.el6.x86_64
Architecture: amd64
JVM Version: 1.6.0_24-b24
JVM Vendor: Sun Microsystems Inc.
Have 2 app servers behind load balancer but SSL is done by Tomcat
java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: Received fatal
alert: handshake_failure
org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:341)
org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305)
org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:50)
org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207)
org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticateNow(CasAuthenticationProvider.java:140)
org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticate(CasAuthenticationProvider.java:126)
org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
org.springframework.security.cas.web.CasAuthenticationFilter.attemptAuthentication(CasAuthenticationFilter.java:242)
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:194)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173)
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
com.github.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:63)
root cause
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1748)
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:991)
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1175)
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1202)
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1186)
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:440)
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1139)
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:326)
org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305)
org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:50)
org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207)
org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticateNow(CasAuthenticationProvider.java:140)
org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticate(CasAuthenticationProvider.java:126)
org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
org.springframework.security.cas.web.CasAuthenticationFilter.attemptAuthentication(CasAuthenticationFilter.java:242)
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:194)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173)
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
com.github.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:63)
Thanks,
Aaron
--
You are currently subscribed to [email protected] as: [email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as: [email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as: [email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
