subject:"\[cas\-user\] CAS SSL \- How to send SSL Certificate Chain\?"

Re: [cas-user] CAS SSL - How to send SSL Certificate Chain?

2022-11-03 Thread Michael Santangelo

Ray,

So bare with me here, because I've only been doing this for about 6 months, 
and it's felt very piecemeal (as in I am pretty sure there's a better way 
to do it but I'm not familiar enough with it to figure it out yet).

Yes, I think we're running the embedded Tomcat as I start our cas with a 
"sudo ./gradlew clean copyCasConfiguration build run" --- I then watch the 
screen for output and I don't see any errors regarding any of the stores.

The tomcat.jks certificate is consistently sent by the webserver as 
evidenced by loading the site and getting proper SSL.  It's just when I run 
a qualys ssl scan on our instance it says that we're missing the 
certificate chain, which I thought I specified to include by adding the 
lines "server.ssl.truststore=file:/path/to/ssl/chain.jks
server.ssl.truststorepassword=thepassword2" to the cas.properties.

I've tried changing it to server.ssl.trust-store and 
server.ssl.trust-store-password but I don't get errors with that either... 
Which leads me to believe I'm missing the errors as they happen or 
something else entirely is wrong.

I don't see any errors during page access either.

On Thursday, November 3, 2022 at 12:59:58 PM UTC-4 Ray Bon wrote:

> Michael,
>
> I assume you are running embedded tomcat and the process running tomcat 
> has read access to the .jks.
> What certificate is being sent when you browse to cas/login?
> Are there any log errors on tomcat startup or page access?
>
> Ray
>
> On Wed, 2022-11-02 at 12:44 -0700, Michael Santangelo wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information.
>
>
> Hello all, 
>
> I'm struggling with getting CAS to send the certificate chain properly and 
> wondering if maybe I'm using the wrong lines in the config.
>
> Before this project I had:
> server.ssl.key-store=file:/path/to/ssl/tomcat.jks
> server.ssl.key-store-password=thepassword
>
> After some googling, I added
> server.ssl.truststore=file:/path/to/ssl/chain.jks
> server.ssl.truststorepassword=thepassword2
>
> However, when I run SSL scans against the site, it still reports that the 
> chain isn't being sent.
>
> Is it different keys? Or should I just bake the chain into the tomcat 
> file?  Are there any aliases I should use specifically?
>
> Thanks.
> -M
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/73419473-4555-41cc-8e60-dc1587c38b01n%40apereo.org.

Re: [cas-user] CAS SSL - How to send SSL Certificate Chain?

2022-11-03 Thread Michael Santangelo

Yeah, that's why I'm trying to get the chain included, so it will pass the 
scanner.  It works fine in any browser I test in, but we get a weekly scan 
report and it keeps coming up as chain invalid.  Just trying to get it to 
clear the scan.  I'm about half a minute away from putting it behind a 
reverse proxy.

On Thursday, November 3, 2022 at 3:22:53 PM UTC-4 richard.frovarp wrote:

> Browsers will insert the intermediate certificates if they know them. So 
> you can't trust the browser. Scanners look for the chain with no prior 
> knowledge, and thus are more reliable in determining if you have everything 
> setup correctly.
>
> On 11/3/22 12:47, Ray Bon wrote:
>
> Michael,
>
> I have not run the embedded tomcat so I do not know where the logs are or 
> if they are the same in the console on startup.
> When you are on the cas site, you can click the lock icon beside the url. 
> You can then get access to the certificate(s) and view them. (Steps vary a 
> bit between browsers.) You should see your host cert, the intermediates, 
> and the root CA.
> If those certs are as you  expect, perhaps the scanning tool can provide 
> more details on what it thinks is amiss.
>
> Ray
>
> On Thu, 2022-11-03 at 10:18 -0700, Michael Santangelo wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information.
>
> Ray, 
>
> So bare with me here, because I've only been doing this for about 6 
> months, and it's felt very piecemeal (as in I am pretty sure there's a 
> better way to do it but I'm not familiar enough with it to figure it out 
> yet).
>
> Yes, I think we're running the embedded Tomcat as I start our cas with a 
> "sudo ./gradlew clean copyCasConfiguration build run" --- I then watch the 
> screen for output and I don't see any errors regarding any of the stores.
>
> The tomcat.jks certificate is consistently sent by the webserver as 
> evidenced by loading the site and getting proper SSL.  It's just when I run 
> a qualys ssl scan on our instance it says that we're missing the 
> certificate chain, which I thought I specified to include by adding the 
> lines "server.ssl.truststore=file:/path/to/ssl/chain.jks
> server.ssl.truststorepassword=thepassword2" to the cas.properties. 
>
> I've tried changing it to server.ssl.trust-store and 
> server.ssl.trust-store-password but I don't get errors with that either... 
> Which leads me to believe I'm missing the errors as they happen or 
> something else entirely is wrong.
>
> I don't see any errors during page access either.
>
> On Thursday, November 3, 2022 at 12:59:58 PM UTC-4 Ray Bon wrote:
>
> Michael,
>
> I assume you are running embedded tomcat and the process running tomcat 
> has read access to the .jks.
> What certificate is being sent when you browse to cas/login?
> Are there any log errors on tomcat startup or page access?
>
> Ray
>
> On Wed, 2022-11-02 at 12:44 -0700, Michael Santangelo wrote:
>
> Notice: This message was sent from outside the University of Victoria 
> email system. Please be cautious with links and sensitive information.
>
>
> Hello all, 
>
> I'm struggling with getting CAS to send the certificate chain properly and 
> wondering if maybe I'm using the wrong lines in the config.
>
> Before this project I had:
> server.ssl.key-store=file:/path/to/ssl/tomcat.jks
> server.ssl.key-store-password=thepassword
>
> After some googling, I added
> server.ssl.truststore=file:/path/to/ssl/chain.jks
> server.ssl.truststorepassword=thepassword2
>
> However, when I run SSL scans against the site, it still reports that the 
> chain isn't being sent.
>
> Is it different keys? Or should I just bake the chain into the tomcat 
> file?  Are there any aliases I should use specifically?
>
> Thanks.
> -M
>
>
>
> -- 
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+u...@apereo.org.
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/429fbda4d3d5dabb12f4f445553fb92c6236568e.camel%40uvic.ca
>  
> 
> .
>
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit

Re: [cas-user] CAS SSL - How to send SSL Certificate Chain?

2022-11-03 Thread 'Richard Frovarp' via CAS Community

Guessing that it has to do with how you brought it into the keystore?
This answer has details on how to import it as a chain into the
keystore:
https://stackoverflow.com/questions/9299133/why-doesnt-java-send-the-client-certificate-during-ssl-handshake/9300727#9300727

On 11/3/22 14:22, 'Richard Frovarp' via CAS Community wrote:
Browsers will insert the intermediate certificates if they know them.
So you can't trust the browser. Scanners look for the chain with no
prior knowledge, and thus are more reliable in determining if you have
everything setup correctly.

On 11/3/22 12:47, Ray Bon wrote:

Michael,

I have not run the embedded tomcat so I do not know where the logs
are or if they are the same in the console on startup.
When you are on the cas site, you can click the lock icon beside the
url. You can then get access to the certificate(s) and view them.
(Steps vary a bit between browsers.) You should see your host cert,
the intermediates, and the root CA.
If those certs are as you expect, perhaps the scanning tool can
provide more details on what it thinks is amiss.

Ray

On Thu, 2022-11-03 at 10:18 -0700, Michael Santangelo wrote:
Notice: This message was sent from outside the University of
Victoria email system. Please be cautious with links and sensitive
information.

Ray,

So bare with me here, because I've only been doing this for about 6
months, and it's felt very piecemeal (as in I am pretty sure there's
a better way to do it but I'm not familiar enough with it to figure
it out yet).

Yes, I think we're running the embedded Tomcat as I start our cas
with a "sudo ./gradlew clean copyCasConfiguration build run" --- I
then watch the screen for output and I don't see any errors
regarding any of the stores.

The tomcat.jks certificate is consistently sent by the webserver as
evidenced by loading the site and getting proper SSL. It's just
when I run a qualys ssl scan on our instance it says that we're
missing the certificate chain, which I thought I specified to
include by adding the lines
"server.ssl.truststore=file:/path/to/ssl/chain.jks

server.ssl.truststorepassword=thepassword2" to the cas.properties.

I've tried changing it to server.ssl.trust-store and
server.ssl.trust-store-password but I don't get errors with that
either... Which leads me to believe I'm missing the errors as they
happen or something else entirely is wrong.

I don't see any errors during page access either.

On Thursday, November 3, 2022 at 12:59:58 PM UTC-4 Ray Bon wrote:

Michael,

I assume you are running embedded tomcat and the process running
tomcat has read access to the .jks.

What certificate is being sent when you browse to cas/login?
Are there any log errors on tomcat startup or page access?

Ray

On Wed, 2022-11-02 at 12:44 -0700, Michael Santangelo wrote:
Notice: This message was sent from outside the University of
Victoria email system. Please be cautious with links and sensitive
information.

Hello all,

I'm struggling with getting CAS to send the certificate chain
properly and wondering if maybe I'm using the wrong lines in the
config.

Before this project I had:
server.ssl.key-store=file:/path/to/ssl/tomcat.jks
server.ssl.key-store-password=thepassword

After some googling, I added
server.ssl.truststore=file:/path/to/ssl/chain.jks
server.ssl.truststorepassword=thepassword2

However, when I run SSL scans against the site, it still reports
that the chain isn't being sent.

Is it different keys? Or should I just bake the chain into the
tomcat file? Are there any aliases I should use specifically?

Thanks.
-M

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/429fbda4d3d5dabb12f4f445553fb92c6236568e.camel%40uvic.ca
.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f1390460-efb7-ef29-6353-61aa34677cf7%40ndsu.edu
.

--
-

Re: [cas-user] CAS SSL - How to send SSL Certificate Chain?

2022-11-03 Thread 'Richard Frovarp' via CAS Community

Browsers will insert the intermediate certificates if they know them. So 
you can't trust the browser. Scanners look for the chain with no prior 
knowledge, and thus are more reliable in determining if you have 
everything setup correctly.


On 11/3/22 12:47, Ray Bon wrote:

Michael,

I have not run the embedded tomcat so I do not know where the logs are 
or if they are the same in the console on startup.
When you are on the cas site, you can click the lock icon beside the 
url. You can then get access to the certificate(s) and view them. 
(Steps vary a bit between browsers.) You should see your host cert, 
the intermediates, and the root CA.
If those certs are as you  expect, perhaps the scanning tool can 
provide more details on what it thinks is amiss.


Ray

On Thu, 2022-11-03 at 10:18 -0700, Michael Santangelo wrote:
Notice: This message was sent from outside the University of Victoria 
email system. Please be cautious with links and sensitive information.


Ray,

So bare with me here, because I've only been doing this for about 6 
months, and it's felt very piecemeal (as in I am pretty sure there's 
a better way to do it but I'm not familiar enough with it to figure 
it out yet).


Yes, I think we're running the embedded Tomcat as I start our cas 
with a "sudo ./gradlew clean copyCasConfiguration build run" --- I 
then watch the screen for output and I don't see any errors regarding 
any of the stores.


The tomcat.jks certificate is consistently sent by the webserver as 
evidenced by loading the site and getting proper SSL.  It's just when 
I run a qualys ssl scan on our instance it says that we're missing 
the certificate chain, which I thought I specified to include by 
adding the lines "server.ssl.truststore=file:/path/to/ssl/chain.jks

server.ssl.truststorepassword=thepassword2" to the cas.properties.

I've tried changing it to server.ssl.trust-store and 
server.ssl.trust-store-password but I don't get errors with that 
either... Which leads me to believe I'm missing the errors as they 
happen or something else entirely is wrong.


I don't see any errors during page access either.

On Thursday, November 3, 2022 at 12:59:58 PM UTC-4 Ray Bon wrote:

Michael,

I assume you are running embedded tomcat and the process running 
tomcat has read access to the .jks.

What certificate is being sent when you browse to cas/login?
Are there any log errors on tomcat startup or page access?

Ray

On Wed, 2022-11-02 at 12:44 -0700, Michael Santangelo wrote:
Notice: This message was sent from outside the University of 
Victoria email system. Please be cautious with links and sensitive 
information.


Hello all,

I'm struggling with getting CAS to send the certificate chain 
properly and wondering if maybe I'm using the wrong lines in the 
config.


Before this project I had:
server.ssl.key-store=file:/path/to/ssl/tomcat.jks
server.ssl.key-store-password=thepassword

After some googling, I added
server.ssl.truststore=file:/path/to/ssl/chain.jks
server.ssl.truststorepassword=thepassword2

However, when I run SSL scans against the site, it still reports 
that the chain isn't being sent.


Is it different keys? Or should I just bake the chain into the 
tomcat file?  Are there any aliases I should use specifically?


Thanks.
-M




--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google 
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/429fbda4d3d5dabb12f4f445553fb92c6236568e.camel%40uvic.ca 
.


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f1390460-efb7-ef29-6353-61aa34677cf7%40ndsu.edu.

Re: [cas-user] CAS SSL - How to send SSL Certificate Chain?

2022-11-03 Thread Ray Bon

Michael,

I have not run the embedded tomcat so I do not know where the logs are or if 
they are the same in the console on startup.
When you are on the cas site, you can click the lock icon beside the url. You 
can then get access to the certificate(s) and view them. (Steps vary a bit 
between browsers.) You should see your host cert, the intermediates, and the 
root CA.
If those certs are as you  expect, perhaps the scanning tool can provide more 
details on what it thinks is amiss.

Ray

On Thu, 2022-11-03 at 10:18 -0700, Michael Santangelo wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Ray,

So bare with me here, because I've only been doing this for about 6 months, and 
it's felt very piecemeal (as in I am pretty sure there's a better way to do it 
but I'm not familiar enough with it to figure it out yet).

Yes, I think we're running the embedded Tomcat as I start our cas with a "sudo 
./gradlew clean copyCasConfiguration build run" --- I then watch the screen for 
output and I don't see any errors regarding any of the stores.

The tomcat.jks certificate is consistently sent by the webserver as evidenced 
by loading the site and getting proper SSL.  It's just when I run a qualys ssl 
scan on our instance it says that we're missing the certificate chain, which I 
thought I specified to include by adding the lines 
"server.ssl.truststore=file:/path/to/ssl/chain.jks
server.ssl.truststorepassword=thepassword2" to the cas.properties.

I've tried changing it to server.ssl.trust-store and 
server.ssl.trust-store-password but I don't get errors with that either... 
Which leads me to believe I'm missing the errors as they happen or something 
else entirely is wrong.

I don't see any errors during page access either.

On Thursday, November 3, 2022 at 12:59:58 PM UTC-4 Ray Bon wrote:
Michael,

I assume you are running embedded tomcat and the process running tomcat has 
read access to the .jks.
What certificate is being sent when you browse to cas/login?
Are there any log errors on tomcat startup or page access?

Ray

On Wed, 2022-11-02 at 12:44 -0700, Michael Santangelo wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hello all,

I'm struggling with getting CAS to send the certificate chain properly and 
wondering if maybe I'm using the wrong lines in the config.

Before this project I had:
server.ssl.key-store=file:/path/to/ssl/tomcat.jks
server.ssl.key-store-password=thepassword

After some googling, I added
server.ssl.truststore=file:/path/to/ssl/chain.jks
server.ssl.truststorepassword=thepassword2

However, when I run SSL scans against the site, it still reports that the chain 
isn't being sent.

Is it different keys? Or should I just bake the chain into the tomcat file?  
Are there any aliases I should use specifically?

Thanks.
-M


-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/429fbda4d3d5dabb12f4f445553fb92c6236568e.camel%40uvic.ca.

Re: [cas-user] CAS SSL - How to send SSL Certificate Chain?

2022-11-03 Thread Ray Bon

Michael,

I assume you are running embedded tomcat and the process running tomcat has 
read access to the .jks.
What certificate is being sent when you browse to cas/login?
Are there any log errors on tomcat startup or page access?

Ray

On Wed, 2022-11-02 at 12:44 -0700, Michael Santangelo wrote:
Notice: This message was sent from outside the University of Victoria email 
system. Please be cautious with links and sensitive information.

Hello all,

I'm struggling with getting CAS to send the certificate chain properly and 
wondering if maybe I'm using the wrong lines in the config.

Before this project I had:
server.ssl.key-store=file:/path/to/ssl/tomcat.jks
server.ssl.key-store-password=thepassword

After some googling, I added
server.ssl.truststore=file:/path/to/ssl/chain.jks
server.ssl.truststorepassword=thepassword2

However, when I run SSL scans against the site, it still reports that the chain 
isn't being sent.

Is it different keys? Or should I just bake the chain into the tomcat file?  
Are there any aliases I should use specifically?

Thanks.
-M

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/bab6114c8dd257569e5a96c4c1d17f30f619c1b3.camel%40uvic.ca.

[cas-user] CAS SSL - How to send SSL Certificate Chain?

2022-11-02 Thread Michael Santangelo

Hello all,

I'm struggling with getting CAS to send the certificate chain properly and 
wondering if maybe I'm using the wrong lines in the config.

Before this project I had:
server.ssl.key-store=file:/path/to/ssl/tomcat.jks
server.ssl.key-store-password=thepassword

After some googling, I added
server.ssl.truststore=file:/path/to/ssl/chain.jks
server.ssl.truststorepassword=thepassword2

However, when I run SSL scans against the site, it still reports that the 
chain isn't being sent.

Is it different keys? Or should I just bake the chain into the tomcat 
file?  Are there any aliases I should use specifically?

Thanks.
-M

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0b6e424f-90a9-4ccc-9a92-468563d5aa71n%40apereo.org.

Re: [cas-user] CAS SSL - How to send SSL Certificate Chain?

Re: [cas-user] CAS SSL - How to send SSL Certificate Chain?

Re: [cas-user] CAS SSL - How to send SSL Certificate Chain?

Re: [cas-user] CAS SSL - How to send SSL Certificate Chain?

Re: [cas-user] CAS SSL - How to send SSL Certificate Chain?

Re: [cas-user] CAS SSL - How to send SSL Certificate Chain?

[cas-user] CAS SSL - How to send SSL Certificate Chain?

7 matches

Site Navigation

Mail list logo

Footer information