Hi, Since receiving your response, I installed a self signed cert in the java keystore on the cas server, thinking that the handshake that was failing was a result of not having one. I'm not sure what you mean by the "public key for the CA". I used a self signed cert, and copied the cacert.pem file over to the mod_auth_cas machine. There is no public key, there is a private key, but the CAS manual did not instruct to do anything with it. Client machine- The parameter CasCertificatepath is set to the directory where I copied the cacert.pem file from the cas server, and ran c_rehash on the directory. I did try with CASValidateServer = Off. I've included the apache error log entries as requested - see below. The changes have resulted in a different error showing. It is no longer about the handshake, but now an oversized response. Is it possible my cas server doesn't know where the keystore is? Also, my tomcat is NOT ssl enabled. I'm working under the (false?) assumption that it doesn't need to be as long as it is behind apache-ssl/mod_jk. thanks, Erik ------error_log [Thu Apr 17 18:55:12 2008] [notice] Apache/2.2.4 (Unix) mod_ssl/2.2.4 OpenSSL/0.9.7a configured -- resuming normal operations [Thu Apr 17 18:55:40 2008] [notice] caught SIGTERM, shutting down [Thu Apr 17 18:55:42 2008] [info] Init: Seeding PRNG with 136 bytes of entropy [Thu Apr 17 18:55:42 2008] [info] Init: Generating temporary RSA private keys (512/1024 bits) [Thu Apr 17 18:55:42 2008] [info] Init: Generating temporary DH parameters (512/1024 bits) [Thu Apr 17 18:55:42 2008] [warn] Init: Session Cache is not configured [hint: SSLSessionCache] [Thu Apr 17 18:55:42 2008] [info] Init: Initializing (virtual) servers for SSL [Thu Apr 17 18:55:42 2008] [info] Server: Apache/2.2.4, Interface: mod_ssl/2.2.4, Library: OpenSSL/0.9.7a [Thu Apr 17 18:55:42 2008] [info] mod_unique_id: using ip addr 153.90.170.6 [Thu Apr 17 18:55:43 2008] [info] Init: Seeding PRNG with 136 bytes of entropy [Thu Apr 17 18:55:43 2008] [info] Init: Generating temporary RSA private keys (512/1024 bits) [Thu Apr 17 18:55:43 2008] [info] Init: Generating temporary DH parameters (512/1024 bits) [Thu Apr 17 18:55:43 2008] [info] Init: Initializing (virtual) servers for SSL [Thu Apr 17 18:55:43 2008] [info] Server: Apache/2.2.4, Interface: mod_ssl/2.2.4, Library: OpenSSL/0.9.7a [Thu Apr 17 18:55:43 2008] [notice] Digest: generating secret for digest authentication ... [Thu Apr 17 18:55:43 2008] [notice] Digest: done [Thu Apr 17 18:55:43 2008] [info] APR LDAP: Built with OpenLDAP LDAP SDK [Thu Apr 17 18:55:43 2008] [info] LDAP: SSL support available [Thu Apr 17 18:55:43 2008] [info] mod_unique_id: using ip addr 153.90.170.6 [Thu Apr 17 18:55:44 2008] [notice] Apache/2.2.4 (Unix) mod_ssl/2.2.4 OpenSSL/0.9.7a configured -- resuming normal operations [Thu Apr 17 18:55:44 2008] [info] Server built: Jul 20 2007 11:44:36 [Thu Apr 17 18:55:44 2008] [debug] prefork.c(991): AcceptMutex: sysvsem (default: sysvsem) [Thu Apr 17 18:56:08 2008] [debug] mod_auth_cas.c(391): [client 153.90.170.43] CAS Service 'http%3a%2f%2fshares.lib.montana.edu%2fcas%2f' [Thu Apr 17 18:56:08 2008] [debug] mod_auth_cas.c(410): [client 153.90.170.43] Adding outgoing header: Location: https://shelf.lib.montana.edu/cas-server-webapp-3.2/login?service=http%3a%2f%2fshares.lib.montana.edu%2fcas%2f [Thu Apr 17 18:56:15 2008] [debug] mod_auth_cas.c(454): [client 153.90.170.43] Modified r->args (old 'ticket=ST-8-wdAODVUrwwUQl6DNpdzL-cas', new '') [Thu Apr 17 18:56:15 2008] [debug] mod_auth_cas.c(391): [client 153.90.170.43] CAS Service 'http%3a%2f%2fshares.lib.montana.edu%2fcas%2f' [Thu Apr 17 18:56:15 2008] [debug] mod_auth_cas.c(1168): [client 153.90.170.43] Validation request: GET /cas-server-webapp-3.2/serviceValidate?service=http%3a%2f%2fshares.lib.montana.edu%2fcas%2f&ticket=ST-8-wdAODVUrwwUQl6DNpdzL-cas HTTP/1.1\nHost: shelf.lib.montana.edu\nConnection: close\n\n [Thu Apr 17 18:56:15 2008] [debug] mod_auth_cas.c(1176): [client 153.90.170.43] Request successfully transmitted [Thu Apr 17 18:56:16 2008] [debug] mod_auth_cas.c(1184): [client 153.90.170.43] Received 171 bytes of response [Thu Apr 17 18:56:16 2008] [debug] mod_auth_cas.c(1184): [client 153.90.170.43] Received 852 bytes of response [Thu Apr 17 18:56:16 2008] [debug] mod_auth_cas.c(1184): [client 153.90.170.43] Received 0 bytes of response [Thu Apr 17 18:56:16 2008] [debug] mod_auth_cas.c(1190): [client 153.90.170.43] Validation response: HTTP/1.1 500 Internal Server Error\r\nDate: Fri, 18 Apr 2008 00:56:16 GMT\r\nServer: Apache\r\nContent-Length: 4550\r\nConnection: close\r\nContent-Type: text/html;charset=utf-8\r\n\r\n<html><head><title>Apache Tomcat/6.0.16 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 500 - </h1><HR size="1" noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b> <u></u></p><p><b>description</b> <u>The server encountered [Thu Apr 17 18:56:16 2008] [error] [client 153.90.170.43] MOD_AUTH_CAS: oversized response received from shelf.lib.montana.edu/cas-server-webapp-3.2/serviceValidate [Thu Apr 17 18:56:16 2008] [error] [client 153.90.170.43] File does not exist: /usr/local/apache2/htdocs/403.html
________________________________ From: [EMAIL PROTECTED] on behalf of Phil Ames Sent: Wed 4/16/2008 7:41 PM To: Yale CAS mailing list Subject: Re: SSL - CAS - tomcat - mod_auth_cas Hi, Can you please include the contents of your Apache debug logs with the server LogLevel set to debug and CASDebug On? Also, have you tried the directive CASValidateServer Off to ensure that there are no strange network connectivity issues? Is the public key for the CA that signed your CAS server's certificate located on the machine with mod_auth_cas? Is that the argument that you have given to CASCertificatePath, or did you use a more generic /etc/ssl/certs/ ? If you used the directory, make sure that your CA's public key is in /etc/ssl/certs/ and that you have run c_rehash in that directory. Hope this helps, -Phil On Wed, Apr 16, 2008 at 7:03 PM, Guss, Erik <[EMAIL PROTECTED]> wrote: > > > Hi, > I'm trying to work out SSL issues. My environment is apache > 2.3/mod_jk/mod_ssl passing cas requests to tomcat CAS server on port 8080 > via worker config in apache. This works as per the install docs via the > https:// <https:///> protocol. > > When I try to use a cas client other than a browser, i.e. - apache > mod_auth_cas, the error log says "Unable to perform SSL handshake with (cas > server)". > > I've seen conflicting documentation on this issue. The tomcat install docs > indicate that if running tomcat "behind" apache via mod_jk, then only apache > needs SSL functionality. There are also docs for mod_auth_cas which explain > how to configure the client mod_auth_cas with the CA cert of the cas server, > but only when tomcat is ssl-enabled, not running behind apache-ssl. I've > tried adding the apache-ssl CA cert to the client machine, with no better > results. > > Has anyone configured mod_auth_cas against an apache-ssl server working via > mod_jk to tomcat/CAS behind it? > > Thanks, Erik Guss - Montana State Univ. > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
<<winmail.dat>>
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
