Cas client fails to communicate in TLS mode
628 views
Skip to first unread message
Guru Prashanth Thanakodi
Oct 21, 2016, 3:02:49 AM10/21/16
to CAS Community
Hi All
We have CAS 3.4.11 deployed on Apache Tomcat 7. Our Application is deployed on JBOSS 7.1.
If we disable the TLS 1.0 communication in JASIG CAS Sever(Apache Tomcat) , We are unable to login.
Here is the stack trace
Thanks,
Guru
Guru
Guru Prashanth Thanakodi
Oct 21, 2016, 3:08:11 AM10/21/16
to CAS Community
Attaching the stack trace of the failure.
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.security.ssl.Alerts.getSSLException(Unknown Source) [jsse.jar:1.7.0_79]
at sun.security.ssl.Alerts.getSSLException(Unknown Source) [jsse.jar:1.7.0_79]
at sun.security.ssl.SSLSocketImpl.recvAlert(Unknown Source) [jsse.jar:1.7.0_79]
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) [jsse.jar:1.7.0_79]
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
[jsse.jar:1.7.0_79]
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) [jsse.jar:1.7.0_79]
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) [jsse.jar:1.7.0_79]
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source) [rt.jar:1.7.0_79]
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
[rt.jar:1.7.0_79]
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source)
[rt.jar:1.7.0_79]
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unknown Source)
[rt.jar:1.7.0_79]
at org.jasig.cas.client.validation.Saml11TicketValidator.retrieveResponseFromServer
(Saml11TicketValidator.java:216) [cas-client-core-3.2.1.jar:3.2.1]
Guru Prashanth Thanakodi
Oct 24, 2016, 2:56:36 PM10/24/16
to CAS Community
Hi All
Can someone help me here? How to change the JASIG client to communicate using TLS v1.2 mode
Thanks
Guru
Thanks,
Guru
Guru
--
CAS gitter chatroom: https://gitter.im/apereo/cas
CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
CAS documentation website: https://apereo.github.io/cas
CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/baafd574-9319-4c55-8f08-536b8ca21705%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.
Andrew Morgan
Oct 25, 2016, 3:28:14 AM10/25/16
to Guru Prashanth Thanakodi, CAS Community
Java 7 supports TLS v1.0, v1.1, and v1.2. See:
https://blogs.oracle.com/java-platform-group/entry/diagnosing_tls_ssl_and_https
What did you change on the CAS Server (Tomcat) to disable other versions
of TLS?
Thanks,
Andy
On Sun, 23 Oct 2016, Guru Prashanth Thanakodi wrote:
> Hi All
>
>> email to cas-user+u...@apereo.org.
>> .
> --
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAJPPnqC6Rm3bQUNF%3DH-qunSb5VMNBG2o4eWt%3D13NsejOJWBksg%40mail.gmail.com.
>
https://blogs.oracle.com/java-platform-group/entry/diagnosing_tls_ssl_and_https
What did you change on the CAS Server (Tomcat) to disable other versions
of TLS?
Thanks,
Andy
On Sun, 23 Oct 2016, Guru Prashanth Thanakodi wrote:
> Hi All
>
>> To post to this group, send email to cas-...@apereo.org.
>> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/
>> .
>> To view this discussion on the web visit https://groups.google.com/a/
>> apereo.org/d/msgid/cas-user/baafd574-9319-4c55-8f08-
>> 536b8ca21705%40apereo.org
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/baafd574-9319-4c55-8f08-536b8ca21705%40apereo.org?utm_medium=email&utm_source=footer>
>> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/
>> .
>> To view this discussion on the web visit https://groups.google.com/a/
>> apereo.org/d/msgid/cas-user/baafd574-9319-4c55-8f08-
>> 536b8ca21705%40apereo.org
>> .
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
> You received this message because you are subscribed to the Google Groups "CAS Community" group.
> To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAJPPnqC6Rm3bQUNF%3DH-qunSb5VMNBG2o4eWt%3D13NsejOJWBksg%40mail.gmail.com.
>
Guru Prashanth Thanakodi
Oct 25, 2016, 10:07:44 AM10/25/16
to Andrew Morgan, CAS Community
Hi Andy
I have removed TLS v1 from server.xml. JRE for JBOSS is 1.7.0.79. Looks like I will have move to minor version 95 and use https.protocols and jdk.tls.client.protocols.
<Connector SSLEnabled="true" clientAuth="false"
keystoreFile="C:\EMC\AppSync\jboss\standalone\configuration\cas.jks" maxThreads="150" port="8444"
protocol="org.apache.coyote.http11.Http11Protocol" scheme="https" secure="true" sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2"/>
Thanks
Guru
Thanks,
Guru
Guru
Andrew Morgan
Oct 25, 2016, 12:06:43 PM10/25/16
to Guru Prashanth Thanakodi, CAS Community
Yeah, I think you're running into a client side problem. You'll need to
configure your client software (Java?) to default to TLSv1.2 instead of
TLSv1. My testing suggests that Java7 clients default to a TLSv1
handshake. You could also try to upgrade your client to Java8.
Andy
configure your client software (Java?) to default to TLSv1.2 instead of
TLSv1. My testing suggests that Java7 clients default to a TLSv1
handshake. You could also try to upgrade your client to Java8.
Andy
Guru Prashanth Thanakodi
Oct 25, 2016, 12:12:33 PM10/25/16
to Andrew Morgan, CAS Community
I am using CAS 3.4.11. I faced issues with 1.8 JRE. Aspectj version had issues with 1.8 JRE. Now we don't have support to get the latest minor version of 1.7.
So I am stuck as of now. Thanks Andy for your help...
Thanks
Guru
Andrew Morgan
Oct 25, 2016, 12:18:30 PM10/25/16
to Guru Prashanth Thanakodi, CAS Community
On Tue, 25 Oct 2016, Guru Prashanth Thanakodi wrote:
> I am using CAS 3.4.11. I faced issues with 1.8 JRE. Aspectj version had
> issues with 1.8 JRE. Now we don't have support to get the latest minor
> version of 1.7.
> So I am stuck as of now. Thanks Andy for your help...
I'm not sure if you're talking about the version of Java on your CAS
> I am using CAS 3.4.11. I faced issues with 1.8 JRE. Aspectj version had
> issues with 1.8 JRE. Now we don't have support to get the latest minor
> version of 1.7.
> So I am stuck as of now. Thanks Andy for your help...
server or whatever software your CAS client is running. It sounds like
your CAS server already supports TLSv1, 1.1, and 1.2 via Java7 with JBoss.
What about the versions of your CAS client software?
Andy
Guru Prashanth Thanakodi
Oct 25, 2016, 12:30:45 PM10/25/16
to Andrew Morgan, CAS Community
Both of them uses the same JDK version in our product.. Is it possible to run CAS server 3.4.11 on 1.8 JDK
Thanks
Guru
Andrew Morgan
Oct 25, 2016, 4:00:06 PM10/25/16
to Guru Prashanth Thanakodi, CAS Community
On Tue, 25 Oct 2016, Guru Prashanth Thanakodi wrote:
> Both of them uses the same JDK version in our product.. Is it possible to
> run CAS server 3.4.11 on 1.8 JDK
I'm not sure. I'm running v3.5.2 on Java8 with Tomcat8.
> Both of them uses the same JDK version in our product.. Is it possible to
> run CAS server 3.4.11 on 1.8 JDK
Maybe someone else can comment on v3.4.11.
Andy
Uxío
Oct 26, 2016, 5:24:40 AM10/26/16
to Andrew Morgan, Guru Prashanth Thanakodi, CAS Community
I don't know, I think you should be able to run the server in Java 8, but I know you definitely will not be packaging CAS server 3 vanilla using Maven 3.2 and Java 8.
You would need to change at least the Maven POM in order to upgrade aspectj from 6 to 8.
Am newbie here but I currently am trying to do this upgrade path: CAS server 3.4.10 to 3.6.0 to 4 to 5.
Sent from my iPhone
You would need to change at least the Maven POM in order to upgrade aspectj from 6 to 8.
Am newbie here but I currently am trying to do this upgrade path: CAS server 3.4.10 to 3.6.0 to 4 to 5.
Sent from my iPhone
Reply all
Reply to author
Forward
0 new messages