Hi, We are migrating to use CAS 4.0 with our ldap server, but running into issues related to SSL/TLS.
Earlier in CAS 3.5, we were able to resolve SSL selfsigned certificate error by importing the certificate into our CA store, but now, the same is not working. Given below at the bottom is snippet from the deployerConfigContext.xml related to configuring SSL connection, however, the CAS server throws exception saying: 2015-04-22 14:07:28,060 DEBUG [org.ldaptive.provider.jndi.JndiStartTLSConnectionFactory] - <Error connecting to LDAP URL: ldap://ldaps.hma.com> [org.ldaptive.provider.ConnectionException@812461251::resultCode=null, matchedDn=null, responseControls=null, referralURLs=null, messageId=-1, providerException=javax.net.ssl.SSLPeerUnverifiedException: hostname of the server 'ldaps.hma.com' does not match the hostname in the server's certificate.] Given below is the SSL config I'm using: <bean id="abstractConnectionConfig" abstract="true" class="org.ldaptive.ConnectionConfig" p:ldapUrl="ldap://ldaps.hma.com"; p:connectTimeout="3000" p:useStartTLS="true" p:sslConfig-ref="sslConfig" /> <bean id="sslConfig" class="org.ldaptive.ssl.SslConfig"> <property name="trustManagers"> <list> <bean class="org.ldaptive.ssl.AllowAnyTrustManager"/> </list> </property> <!-- <property name="credentialConfig"> <bean class="org.ldaptive.ssl.KeyStoreCredentialConfig" p:trustStore="file:///C:/Apps/Java/jdk1.7.0_21/jre/lib/security/jssecacerts" p:trustStorePassword="changeit" /> </property> --> </bean> Tried the "org.ldaptive.ssl.KeyStoreCredentialConfig" as well - to use the certificate store, but none of them are working. We are always getting the same error - hostname doesn't match with the hostname in certificate. We won't be able to change the self signed certificate, as that is not under our control. Any idea, how to get rid of this error? Any workaround possible? Really appreciate your help here. Regards, Venkatesh -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
