cas-server V3 and generic https certificate
Scott Battaglia
scott.battaglia at gmail.com
Thu Feb 1 11:27:31 EST 2007
Vincent,
That's actually a bug that that the handler can execute that code (note it
can only execute the code if you don't provide an HttpClient instance). I've
logged a bug report and it will be fixed for 3.0.7 and 3.1 M2.
Thanks
-Scott
On 1/29/07, Vincent MATHIEU <vincent.mathieu at univ-nancy2.fr> wrote:
>
> Thank's Scott,
>
> but this modification is not sufficient.
> HttpBasedServiceCredentialsAuthenticationHandler class is loaded after
> HttpClient3FactoryBean class.
>
> HttpBasedServiceCredentialsAuthenticationHandler make also call to
> StrictSSLProtocolSocketFactory class, and crush initialization of property
> useStrictHostNameChecking.
>
> And it is dangerous to complete deactive hostname certificate control.
>
> I will probably patch StrictSSLProtocolSocketFactory class to permit
> generic certificates working.
>
> With CAS V2 server, I controled certificate with a keystore on tomcat
> startup :
> CATALINA_OPTS="-Djavax.net.ssl.trustStore=/etc/cert/portail.keystore" ;
> that doesn't work now.
>
> Vincent
>
> Scott Battaglia a écrit :
>
> CAS 3 checks the host name very strictly (i.e. * doesn't work). You can
> disable this check by setting the property useStrictHostNameChecking to
> false on the HttpClient3FactoryBean. However, that means while it will
> check that the certificate is valid, it will not match the host name to the
> host name on the certificate.
>
> -Scott
>
> On 1/8/07, Vincent MATHIEU <vincent.mathieu at univ-nancy2.fr> wrote:
> >
> > Hello,
> >
> >
> > We used cas-server V2 for several years, and we would like to migrate
> > towards cas-server V3.
> >
> > cas-server V3 work's correctly fot authenticating (via LDAP), but
> > doesn't work in CAS proxy mode.
> >
> > Here is a log (catalina.out) from cas V3 server :
> >
> > 2007-01-08 21:25:22,248 INFO
> > [org.jasig.cas.authentication.AuthenticationManagerImpl] -
> > <AuthenticationHandler:
> > org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler
> > successfully authenticated the user which provided the following
> > credentials: vmathieu>
> >
> > 2007-01-08 21:25:22,279 INFO
> > [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service
> > ticket [ST-2-bjB6dheW1LDH0Fl2fXvYjTqYDlEbD50L1mk-20] for service
> > [http://esupdev1.univ-nancy2.fr/package/Login] for user [vmathieu]>
> >
> > 2007-01-08 21:25:26,974 ERROR
> > [
> > org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler]
> > - <javax.net.ssl.SSLPeerUnverifiedException: HTTPS hostname invalid:
> > expected 'esupdev1.univ-nancy2.fr', received '*.univ-nancy2.fr '>
> > javax.net.ssl.SSLPeerUnverifiedException: HTTPS hostname invalid:
> > expected 'esupdev1.univ-nancy2.fr', received '*.univ- nancy2.fr' at
> >
> > org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory.verifyHostname
> > (StrictSSLProtocolSocketFactory.java:303)
> >
> > We use 'generic' ssl certificate for our https server :
> > CN=*.univ-nancy2.fr (and not CN=auth.univ-nancy2.fr).
> >
> > The problem seems to come from.
> > CAS serveur V2 work's correctly with same certificates.
> > Is there a simple solution to treat the problem, or do I have to patch
> > the code ?
> >
> >
> > Thank's
> >
> >
> > Vincent
> >
> > --
> > Vincent MATHIEU
> > Université Nancy 2 - CRI
> > Equipe système et réseaux
> > tel : 03 54 50 36 56
> > coordonnées :
> > http://www.univ-nancy2.fr/ANNUAIRE/PERS/detail_pres.php?uid=vmathieu
> >
> >
> >
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070201/8faab1d1/attachment.html
More information about the cas
mailing list