Duo root certificate authority bundle replacement?

[Baron Fujimoto]

We are currently running CAS 7.0.x with the "cas-server-support-duo" dependency in our build.gradle overlay.

In response to an advisory from Duo  re "Duo root certificate authority bundle replacement" (action required by 2025-02-02)

<https://help.duo.com/s/article/9451>

We tried to determine if we were affected by this. Duo reports in our Unsupported Clients log many entries that are tied to our Identification Key for the Duo app used by our CAS service. It's unclear to us though whether these entries represented CAS itself, or clients using our CAS service.

Our initial analysis suggested to us that these entries represented CAS clients using our CAS service. However, we received the following response to our query to Duo support:

With CAS, since this is a third party application that has integrated Duo, our team recently got a confirmation from CAS that they have made an update available for the upcoming CA bundle replacement, and you must perform some upgrade or configuration action to use it.

And they provided links to the CAS 7.3.0 Duo Security MFA documentation: 

<https://apereo.github.io/cas/7.3.x/mfa/DuoSecurity-Authentication.html>

So is the CAS server actually affected by this issue if using "cas-server-support-duo"? If so, what is the minimum CAS server version required to address this? If there are release notes or something comparable that covers this, a pointer to those would be appreciated as well.

--

Baron Fujimoto <ba...@hawaii.edu> ::: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum descendus pantorum

[Baron Fujimoto]

Following up with additional information. We now believe the Duo Unsupported Client reports actually do implicate CAS. Initially we were dissuaded because the Client IP in these reports were not known to be associated with our CAS servers, but we've since learned that all the servers' traffic was NAT'd behind the reported IP.

I don't recall seeing this issue being discussed previously on the list, but this seems like a significant issue for those using "cas-server-support-duo". Are such users actually just rare, or is everyone already running CAS 7.3? 

[Andrew Tillinghast]

Only version guaranteed to support the new Duo CA is CAS version 7.3.x

--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL0JdPHB41TGic9YN_kYWQp_dkrRq0awoATj-xe-RzAUAA%40mail.gmail.com.

[Ray Bon]

Baron,

The duo versions for java are here https://help.duo.com/s/article/9451?language=en_US#api-clients

Cas 7.2.x does not have the minimums, and the last commit was late September.

Anyone wanting to use duo will have to upgrade to 7.3.x

See line 56 in https://github.com/apereo/cas/blob/7.3.x/gradle/libs.versions.toml

Ray

---

From: cas-...@apereo.org <cas-...@apereo.org> on behalf of Baron Fujimoto <ba...@hawaii.edu>
Sent: December 19, 2025 08:56
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] Re: Duo root certificate authority bundle replacement?

 

--

[Jeremiah Garmatter]

We utilize Duo with CAS too. We plan to upgrade to 7.3.0 in January. If you need more time you can reach out to Duo support for an extension.

I believe the final cutoff date for extenders is March 31st, but for everyone else it is February 2nd.

[Baron Fujimoto]

Thanks all for the confirmation. We now have a high priority task to upgrade to 7.3 (and the requisite Tomcat 11 as well).

To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7e09b24a-5b03-4f1d-8060-0118bc6cd6aan%40apereo.org.