Correct me if I'm wrong but doesn't that post suggest to enable both SSLv3 and SSLv2Hello? Both of which are vulnerable?
If I run with just a single host in the farm things appear to work fine. As soon as I bring up the second host the LB drops both from the farm as down. However, if I set my /etc/hosts to point directly to either of the CAS servers I get the login page, it authenticates me and then throws the error. To recover I need to back out of the config on both CAS servers, then the LB will see them as up again. Also, during the time that they are in the 'down state' I can sucessfully authentication/access into a cas-ified apache instance, but not the service management. Thanks, Aaron On 10/20/2014 12:34 PM, Sean Baker wrote: > Try the below: > > https://mail-archives.apache.org/mod_mbox/tomcat-users/201302.mbox/%3c512559f7.4080...@gmail.com%3E > > It’s a bit of a guess, but it’s also the most common reason why we’ve > seen that here. > > We’ve had Java 6 and 7 clients reaching out to our instance for ticket > validation and have never had a cipher mismatch; that said, we run > with the unlimited JCE installed on the server so that may be > something to consider as you’re looking for newer TLS-compatible > ciphers to use. > > > -- > Ne Desit Virtus, > > Sean R. Baker > 1LT, MS > United States Army > Office #: (301) 319-0712 > Email: sean.ba...@usuhs.edu <mailto:sean.ba...@usuhs.edu> > > On Oct 20, 2014, at 12:08 PM, Carlos Fernandez <cfern...@sju.edu > <mailto:cfern...@sju.edu>> wrote: > >> Hi, Aaron, >> I thought I was the only one dealing with the same issue. I am >> getting the same error on a CAS-enabled app after we disabled SSLv3 >> support in the load balancer that sits in front of our CAS servers. >> So far it seems to only affect the CAS client. >> I have upgraded to JDK 7u72 and added >> –Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 to the JVM command line, but >> still get the same error message. My guess is that the limited set of >> ciphers supported by the load balancer doesn’t match the default >> ciphers enabled in the JVM. I’m still looking at what values the >> https.cipherSuites system property accepts in order to configure it >> accordingly. >> Best regards, >> -- >> Carlos. >> *From:*Aaron Eidt [mailto:aei...@uwo.ca] >> *Sent:*Monday, 20 October, 2014 11:50 >> *To:*cas-user@lists.jasig.org <mailto:cas-user@lists.jasig.org> >> *Subject:*[cas-user] CAS 3.5.2 and CVE-2014-3566, POODLE >> >> I've attempted to change tomcat config to disable SSLv3 and when I do >> I get the following exception trying to login to CAS service >> management (not immediately, after a few minutes and sometimes after >> updated the second host). Adding >> sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to SSL connector has >> worked an several other Tomcat installations. >> >> Here is more detail about my setup: >> CAS version: 3.5.2 >> Tomcat Version: 7.0.37.0 >> OS Name: Linux >> OS Version: 2.6.32-358.0.1.el6.x86_64 >> Architecture: amd64 >> JVM Version: 1.6.0_24-b24 >> JVM Vendor: Sun Microsystems Inc. >> >> Have 2 app servers behind load balancer but SSL is done by Tomcat >> >> java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: Received >> fatal alert: handshake_failure >> >> org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:341) >> >> org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305) >> >> org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:50) >> >> org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207) >> >> org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticateNow(CasAuthenticationProvider.java:140) >> >> org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticate(CasAuthenticationProvider.java:126) >> >> org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156) >> >> org.springframework.security.cas.web.CasAuthenticationFilter.attemptAuthentication(CasAuthenticationFilter.java:242) >> >> org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:194) >> >> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) >> >> org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105) >> >> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) >> >> org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) >> >> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) >> >> org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173) >> >> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) >> >> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259) >> >> com.github.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:63) >> >> *root cause* >> >> javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure >> sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >> sun.security.ssl.Alerts.getSSLException(Alerts.java:154) >> sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1748) >> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:991) >> >> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1175) >> >> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1202) >> >> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1186) >> >> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:440) >> >> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) >> >> sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1139) >> >> sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254) >> >> org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:326) >> >> org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305) >> >> org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:50) >> >> org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207) >> >> org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticateNow(CasAuthenticationProvider.java:140) >> >> org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticate(CasAuthenticationProvider.java:126) >> >> org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156) >> >> org.springframework.security.cas.web.CasAuthenticationFilter.attemptAuthentication(CasAuthenticationFilter.java:242) >> >> org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:194) >> >> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) >> >> org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105) >> >> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) >> >> org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) >> >> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) >> >> org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173) >> >> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) >> >> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259) >> >> com.github.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:63) >> >> >> Thanks, >> Aaron >> >> -- >> You are currently subscribed tocas-u...@lists.jasig.org >> <mailto:cas-user@lists.jasig.org> as:cfern...@sju.edu >> <mailto:cfern...@sju.edu> >> To unsubscribe, change settings or access archives, >> seehttp://www.ja-sig.org/wiki/display/JSG/cas-user >> -- >> You are currently subscribed tocas-u...@lists.jasig.org >> <mailto:cas-user@lists.jasig.org> as:sean.ba...@usuhs.edu >> <mailto:sean.ba...@usuhs.edu> >> To unsubscribe, change settings or access archives, >> seehttp://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to cas-user@lists.jasig.org as: aei...@uwo.ca > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
