I am facing issue with CAS 3.4.11 to communicate with LDAP with TLS 1.2 enabled.

12 views
Skip to first unread message

prashant pokharna

unread,
Jan 30, 2019, 3:31:10 AM1/30/19
to CAS Community
Hi Experts,
Our project uses CAS 3.4.11 and i am trying to access a LDAP machine with only TLS 1.2 enabled but it fails with error " com.emc.csp.error.IOException: Could not connect to the LDAP server "
If i disable TLS 1.2 and enable only 1.0, it works fine. 
Any suggestion how to make CAS 3.4.11 compatible with TLS 1.2 ?

Thanks,
Prashant.

Ray Bon

unread,
Jan 30, 2019, 12:08:25 PM1/30/19
to cas-...@apereo.org
Prashant,

The simplest answer, upgrade.

I started with CAS about 5 years ago and we were on 3.5. You may get lucky and someone here has a good memory.
Is there any indication in the docs that this version of CAS supports TLS 1.2?

Ray
-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

David Curry

unread,
Jan 30, 2019, 12:31:59 PM1/30/19
to cas-...@apereo.org
Ray is right, the best answer is upgrade. But, assuming that's not an immediate option...

I don't believe CAS 3.x had any of its own support for SSL/TLS; I think it just relied on what the underlying Java JVM gave it. So... what version of Java are you using?

TLSv1.2 was not supported in Java 6 until Update 111; it was supported in Java 7, but not enabled by default until Update 131. Assuming you have a version that supports TLSv1.2, you may need to start your Java process with either

-Dhttps.protocols=TLSv1.2

or

‑Djdk.tls.client.protocols=TLSv1.2

Sorry, I don't know which one of those you'll need (they affect different things, so you should only need one or the other). I honestly don't know if just setting one of those will solve your problem, but that's where I'd start.

See this link for more  info, but be aware that some of the settings here can make things much LESS secure if you don't know what you're doing. https://www.java.com/en/configure_crypto.html

Good luck,
--Dave

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
THE NEW SCHOOL  INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728david...@newschool.edu



--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1548868099.4037.36.camel%40uvic.ca.
Reply all
Reply to author
Forward
0 new messages