Hi, Are these logs from when "CASValidateServer" is set to off? I'm curious because if so, there may be more than one issue here. I would also be curious to know if there is any information in the Tomcat logs -- it looks like the response that mod_auth_cas is receiving is an error page from your Tomcat server. You may be able to reproduce it by visiting the URL that mod_auth_cas attempts to validate against in a standard web browser:
https://shelf.lib.montana.edu/cas-server-webapp-3.2/serviceValidate?service=http%3a%2f%2fshares.lib.montana.edu%2fcas%2f&ticket=ST-8-wdAODVUrwwUQl6DNpdzL-cas HTH, -Phil On Thu, Apr 17, 2008 at 9:40 PM, Guss, Erik <[EMAIL PROTECTED]> wrote: > Hi, > Since receiving your response, I installed a self signed cert in the java > keystore on the cas server, thinking that the handshake that was failing was > a result of not having one. > > I'm not sure what you mean by the "public key for the CA". I used a self > signed cert, > and copied the cacert.pem file over to the mod_auth_cas machine. > There is no public key, there is a private key, but the CAS manual did not > instruct to do anything with it. > > Client machine- The parameter CasCertificatepath is set to the directory > where I copied the cacert.pem file from the cas server, and ran c_rehash on > the directory. I did try with CASValidateServer = Off. > > I've included the apache error log entries as requested - see below. > The changes have resulted in a different error showing. It is no longer > about the handshake, but now an oversized response. > > Is it possible my cas server doesn't know where the keystore is? Also, my > tomcat is NOT ssl enabled. I'm working under the (false?) assumption that it > doesn't need to be as long as it is behind apache-ssl/mod_jk. > > thanks, Erik > > > ------error_log > > [Thu Apr 17 18:55:12 2008] [notice] Apache/2.2.4 (Unix) mod_ssl/2.2.4 > OpenSSL/0.9.7a configured -- resuming normal operations > [Thu Apr 17 18:55:40 2008] [notice] caught SIGTERM, shutting down > [Thu Apr 17 18:55:42 2008] [info] Init: Seeding PRNG with 136 bytes of > entropy > [Thu Apr 17 18:55:42 2008] [info] Init: Generating temporary RSA private > keys (512/1024 bits) > [Thu Apr 17 18:55:42 2008] [info] Init: Generating temporary DH parameters > (512/1024 bits) > [Thu Apr 17 18:55:42 2008] [warn] Init: Session Cache is not configured > [hint: SSLSessionCache] > [Thu Apr 17 18:55:42 2008] [info] Init: Initializing (virtual) servers for > SSL > [Thu Apr 17 18:55:42 2008] [info] Server: Apache/2.2.4, Interface: > mod_ssl/2.2.4, Library: OpenSSL/0.9.7a > [Thu Apr 17 18:55:42 2008] [info] mod_unique_id: using ip addr 153.90.170.6 > [Thu Apr 17 18:55:43 2008] [info] Init: Seeding PRNG with 136 bytes of > entropy > [Thu Apr 17 18:55:43 2008] [info] Init: Generating temporary RSA private > keys (512/1024 bits) > [Thu Apr 17 18:55:43 2008] [info] Init: Generating temporary DH parameters > (512/1024 bits) > [Thu Apr 17 18:55:43 2008] [info] Init: Initializing (virtual) servers for > SSL > [Thu Apr 17 18:55:43 2008] [info] Server: Apache/2.2.4, Interface: > mod_ssl/2.2.4, Library: OpenSSL/0.9.7a > [Thu Apr 17 18:55:43 2008] [notice] Digest: generating secret for digest > authentication ... > [Thu Apr 17 18:55:43 2008] [notice] Digest: done > [Thu Apr 17 18:55:43 2008] [info] APR LDAP: Built with OpenLDAP LDAP SDK > [Thu Apr 17 18:55:43 2008] [info] LDAP: SSL support available > [Thu Apr 17 18:55:43 2008] [info] mod_unique_id: using ip addr 153.90.170.6 > [Thu Apr 17 18:55:44 2008] [notice] Apache/2.2.4 (Unix) mod_ssl/2.2.4 > OpenSSL/0.9.7a configured -- resuming normal operations > [Thu Apr 17 18:55:44 2008] [info] Server built: Jul 20 2007 11:44:36 > [Thu Apr 17 18:55:44 2008] [debug] prefork.c(991): AcceptMutex: sysvsem > (default: sysvsem) > [Thu Apr 17 18:56:08 2008] [debug] mod_auth_cas.c(391): [client > 153.90.170.43] CAS Service 'http%3a%2f%2fshares.lib.montana.edu%2fcas%2f' > [Thu Apr 17 18:56:08 2008] [debug] mod_auth_cas.c(410): [client > 153.90.170.43] Adding outgoing header: Location: > https://shelf.lib.montana.edu/cas-server-webapp-3.2/login?service=http%3a%2f%2fshares.lib.montana.edu%2fcas%2f > [Thu Apr 17 18:56:15 2008] [debug] mod_auth_cas.c(454): [client > 153.90.170.43] Modified r->args (old 'ticket=ST-8-wdAODVUrwwUQl6DNpdzL-cas', > new '') > [Thu Apr 17 18:56:15 2008] [debug] mod_auth_cas.c(391): [client > 153.90.170.43] CAS Service 'http%3a%2f%2fshares.lib.montana.edu%2fcas%2f' > [Thu Apr 17 18:56:15 2008] [debug] mod_auth_cas.c(1168): [client > 153.90.170.43] Validation request: GET > /cas-server-webapp-3.2/serviceValidate?service=http%3a%2f%2fshares.lib.montana.edu%2fcas%2f&ticket=ST-8-wdAODVUrwwUQl6DNpdzL-cas > HTTP/1.1\nHost: shelf.lib.montana.edu\nConnection: close\n\n > [Thu Apr 17 18:56:15 2008] [debug] mod_auth_cas.c(1176): [client > 153.90.170.43] Request successfully transmitted > [Thu Apr 17 18:56:16 2008] [debug] mod_auth_cas.c(1184): [client > 153.90.170.43] Received 171 bytes of response > [Thu Apr 17 18:56:16 2008] [debug] mod_auth_cas.c(1184): [client > 153.90.170.43] Received 852 bytes of response > [Thu Apr 17 18:56:16 2008] [debug] mod_auth_cas.c(1184): [client > 153.90.170.43] Received 0 bytes of response > [Thu Apr 17 18:56:16 2008] [debug] mod_auth_cas.c(1190): [client > 153.90.170.43] Validation response: HTTP/1.1 500 Internal Server > Error\r\nDate: Fri, 18 Apr 2008 00:56:16 GMT\r\nServer: > Apache\r\nContent-Length: 4550\r\nConnection: close\r\nContent-Type: > text/html;charset=utf-8\r\n\r\n<html><head><title>Apache Tomcat/6.0.16 - > Error report</title><style><!--H1 > {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} > H2 > {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} > H3 > {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} > BODY > {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B > {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P > {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A > {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> > </head><body><h1>HTTP Status 5! 00 - </h1><HR size="1" noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b> <u></u></p><p><b>description</b> <u>The server encountered > [Thu Apr 17 18:56:16 2008] [error] [client 153.90.170.43] MOD_AUTH_CAS: > oversized response received from > shelf.lib.montana.edu/cas-server-webapp-3.2/serviceValidate > [Thu Apr 17 18:56:16 2008] [error] [client 153.90.170.43] File does not > exist: /usr/local/apache2/htdocs/403.html > > > ________________________________ > > From: [EMAIL PROTECTED] on behalf of Phil Ames > Sent: Wed 4/16/2008 7:41 PM > To: Yale CAS mailing list > Subject: Re: SSL - CAS - tomcat - mod_auth_cas > > > > > Hi, > Can you please include the contents of your Apache debug logs with the > server LogLevel set to debug and CASDebug On? > > Also, have you tried the directive CASValidateServer Off to ensure > that there are no strange network connectivity issues? > > Is the public key for the CA that signed your CAS server's certificate > located on the machine with mod_auth_cas? Is that the argument that > you have given to CASCertificatePath, or did you use a more generic > /etc/ssl/certs/ ? If you used the directory, make sure that your CA's > public key is in /etc/ssl/certs/ and that you have run c_rehash in > that directory. > > Hope this helps, > > -Phil > > On Wed, Apr 16, 2008 at 7:03 PM, Guss, Erik <[EMAIL PROTECTED]> wrote: > > > > > > Hi, > > I'm trying to work out SSL issues. My environment is apache > > 2.3/mod_jk/mod_ssl passing cas requests to tomcat CAS server on port 8080 > > via worker config in apache. This works as per the install docs via the > > https:// <https:///> protocol. > > > > > > When I try to use a cas client other than a browser, i.e. - apache > > mod_auth_cas, the error log says "Unable to perform SSL handshake with (cas > > server)". > > > > I've seen conflicting documentation on this issue. The tomcat install docs > > indicate that if running tomcat "behind" apache via mod_jk, then only > apache > > needs SSL functionality. There are also docs for mod_auth_cas which explain > > how to configure the client mod_auth_cas with the CA cert of the cas > server, > > but only when tomcat is ssl-enabled, not running behind apache-ssl. I've > > tried adding the apache-ssl CA cert to the client machine, with no better > > results. > > > > Has anyone configured mod_auth_cas against an apache-ssl server working via > > mod_jk to tomcat/CAS behind it? > > > > Thanks, Erik Guss - Montana State Univ. > > > > _______________________________________________ > > Yale CAS mailing list > > [email protected] > > http://tp.its.yale.edu/mailman/listinfo/cas > > > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
