Thank's Scott,
but this modification is not sufficient.
HttpBasedServiceCredentialsAuthenticationHandler class is loaded after
HttpClient3FactoryBean class.
HttpBasedServiceCredentialsAuthenticationHandler make also call to
StrictSSLProtocolSocketFactory class, and crush initialization of
property useStrictHostNameChecking.
And it is dangerous to complete deactive hostname certificate control.
I will probably patch StrictSSLProtocolSocketFactory class to permit
generic certificates working.
With CAS V2 server, I controled certificate with a keystore on tomcat
startup :
CATALINA_OPTS="-Djavax.net.ssl.trustStore=/etc/cert/portail.keystore" ;
that doesn't work now.
Vincent
Scott Battaglia a écrit :
CAS 3 checks the host name very strictly (i.e. * doesn't work). You
can disable this check by setting the property
useStrictHostNameChecking to false on the HttpClient3FactoryBean.
However, that means while it will check that the certificate is valid,
it will not match the host name to the host name on the certificate.
-Scott
On 1/8/07, *Vincent MATHIEU* <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
Hello,
We used cas-server V2 for several years, and we would like to migrate
towards cas-server V3.
cas-server V3 work's correctly fot authenticating (via LDAP), but
doesn't work in CAS proxy mode.
Here is a log (catalina.out) from cas V3 server :
2007-01-08 21:25:22,248 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
<AuthenticationHandler:
org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler
successfully authenticated the user which provided the following
credentials: vmathieu>
2007-01-08 21:25:22,279 INFO
[org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service
ticket [ST-2-bjB6dheW1LDH0Fl2fXvYjTqYDlEbD50L1mk-20] for service
[http://esupdev1.univ-nancy2.fr/package/Login] for user [vmathieu]>
2007-01-08 21:25:26,974 ERROR
[org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler
]
- <javax.net.ssl.SSLPeerUnverifiedException: HTTPS hostname invalid:
expected 'esupdev1.univ-nancy2.fr
<http://esupdev1.univ-nancy2.fr>', received '*.univ-nancy2.fr
<http://nancy2.fr>'>
javax.net.ssl.SSLPeerUnverifiedException: HTTPS hostname invalid:
expected 'esupdev1.univ-nancy2.fr
<http://esupdev1.univ-nancy2.fr>', received '*.univ- nancy2.fr
<http://nancy2.fr>' at
org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory.verifyHostname
(StrictSSLProtocolSocketFactory.java:303)
We use 'generic' ssl certificate for our https server :
CN=*.univ-nancy2.fr <http://nancy2.fr> (and not
CN=auth.univ-nancy2.fr <http://auth.univ-nancy2.fr>).
The problem seems to come from.
CAS serveur V2 work's correctly with same certificates.
Is there a simple solution to treat the problem, or do I have to patch
the code ?
Thank's
Vincent
--
Vincent MATHIEU
Université Nancy 2 - CRI
Equipe système et réseaux
tel : 03 54 50 36 56
coordonnées :
http://www.univ-nancy2.fr/ANNUAIRE/PERS/detail_pres.php?uid=vmathieu
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
