[cas-dev] CAS version 3.0.7 and BlackBoard Version 6

Darren Kraker dkraker at calpoly.edu
Wed Sep 5 13:37:37 EDT 2007 

Just wanted to follow up with more detail on the problem for anyone else 
that encounters this issue.  It turns out this is not a CAS client 
problem but a Blackboard configuration running in Tomcat 5.0.28 problem.

Here is what we found and our current work around which we are trying to 
  improve.

To summarize the problem, we found that as a result of upgrading the 
http server that CAS uses, a different cipher is selected by default 
during the handshake process and the java cas client running in a 
Blackboard/Tomcat environment fails to handshake properly.

Details:
----------------------------------------------------------
Upgraded HTTP server
FROM
IBM_HTTP_SERVER/1.3.19.6-PQ90262  Apache/1.3.20 (Unix)
TO
IBM HTTP Server 6.1.0.0

The default cipher algorithm selected during the SSL handshake went
FROM
SSL_RSA_WITH_RC4_128_SHA
TO
TLS_RSA_WITH_AES_128_CBC_SHA

Looking at the versions of enable ciphers the client is presented with 
include:
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA


Environment:
jdk1.5.0_06
Tomcat 5.0.28
Standard java cas client version 2.1.1

This same CAS client works in a independent install of tomcat 5.0.28 
with same JDK on the same machine.  It appears the way Blackboard is 
configured to run within Tomcat 5.0.28 creates this failure.

The following exception is observed:

javax.net.ssl.SSLException: Invalid padding which is caused by 
javax.crypto.BadPaddingException: Invalid TLS padding: 101

This exceptions occurs on the call to getInputStream() within this block 
of SecureURL.java.

URLConnection uc = u.openConnection();
uc.setRequestProperty("Connection", "close");

r = new BufferedReader(new InputStreamReader(uc.getInputStream()));


Configuration attempts to fix the problem include
--------------------------------------------------------------
1) Removing jcert-1.0.2.jar, jnet-1.0.2.jar, jsse-1.0.2.jar from
/usr/local/blackboard/apps/tomcat/shared/lib (jsse-1.0.2 is not needed 
with jdk 1.5)
2) Changing the order if the java.security providers by moving 
com.sun.crypto.provider.SunJCE higher up the list to position 3 then 2 
(this did not help)
3) Forcing an older cipher on newer version of IBM Http Server to 
SSL_RSA_WITH_RC4_128_SHA (this temporarily fixed the problem but is not 
a long term solution)

Scott Battaglia wrote:
> Darren,
> 
> Is it possible that either the keystore (Tomcat's) or the JVM's is 
> messed up somehow?
> 
> -Scott
> 
> On 8/31/07, *Darren Kraker* < dkraker at calpoly.edu 
> <mailto:dkraker at calpoly.edu>> wrote:
> 
>     We're trying to upgrade our CAS server from 2.x to 3.0.7 and are having
>     trouble with the java casclient version 2.1.1.  The client works fine in
>     all other environments but when running the jar file in the Blackboard
>     tomcat app server we're getting a javax.net.ssl.SSLException : Invalid
>     padding which is caused by javax.crypto.BadPaddingException: Invalid TLS
>     padding: 101
> 
>     I've added lots of debug code to the cas client to discover it fails on
>     the call to getInputStream() within this block of SecureURL.java.
> 
>     URLConnection uc = u.openConnection();
>     uc.setRequestProperty("Connection", "close");
>     r = new BufferedReader(new InputStreamReader(uc.getInputStream()));
> 
>     I'm running
>     java version "1.5.0_06"
>     Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_06-b05)
>     Java HotSpot(TM) Server VM (build 1.5.0_06-b05, mixed mode)
> 
>     on Linux 2.4.21-32.0.1.ELsmp #1 SMP Tue May 17 17:52:23 EDT 2005 i686
>     i686 i386 GNU/Linux
> 
>     The same code when run outside tomcat runs fine.  Any ideas?
> 
>     --
>     Darren Kraker
>     Software Engineer
>     Application Management / ITS
>     mailto:dkraker at calpoly.edu <mailto:dkraker at calpoly.edu>
>     Office (805) 756-2696
>     _______________________________________________
>     cas-dev mailing list
>     cas-dev at tp.its.yale.edu <mailto:cas-dev at tp.its.yale.edu>
>     http://tp.its.yale.edu/mailman/listinfo/cas-dev
> 
> 
> 
> 
> -- 
> -Scott Battaglia
> 
> LinkedIn: http://www.linkedin.com/in/scottbattaglia 
> <http://www.linkedin.com/in/scottbattaglia>
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> cas-dev mailing list
> cas-dev at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas-dev

-- 
Darren Kraker
Software Engineer
Application Management / ITS
mailto:dkraker at calpoly.edu
Office (805) 756-2696

More information about the cas-dev mailing list