cas-server V3 and generic https certificate

Julien Marchal Julien.Marchal at univ-nancy2.fr
Fri Feb 2 05:59:48 EST 2007 

Scott,
      To correct this we have made modification in CAS server to define 
a new bean which is the SSLProtocolSocketFactory and we inject it in 
HttpClient3FactoryBean and 
HttpBasedServiceCredentialsAuthenticationHandler.     

    Following file are modified  :
         - applicationContext.xml
         - deployerConfigContext.xml
         - HttpBasedServiceCredentialsAuthenticationHandler.java
         - HttpClient3FactoryBean.java.

  This modification  permit to correct bug and if we want we can write 
our own SSLProtocolSocketFactory (to really validate generic certificat).
  I joint the diff file.
  Do you thinks it's good solution to correct this ?

Thanks

Scott Battaglia a écrit :
> Vincent,
>
> That's actually a bug that that the handler can execute that code 
> (note it can only execute the code if you don't provide an HttpClient 
> instance). I've logged a bug report and it will be fixed for 3.0.7 and 
> 3.1 M2.
>
> Thanks
> -Scott
>
> On 1/29/07, *Vincent MATHIEU* <vincent.mathieu at univ-nancy2.fr 
> <mailto:vincent.mathieu at univ-nancy2.fr>> wrote:
>
>     Thank's Scott,
>
>     but this modification is not sufficient.
>     HttpBasedServiceCredentialsAuthenticationHandler class is loaded
>     after HttpClient3FactoryBean class.
>
>     HttpBasedServiceCredentialsAuthenticationHandler make also call to
>     StrictSSLProtocolSocketFactory class, and crush  initialization of
>     property useStrictHostNameChecking.
>
>     And it is dangerous to complete deactive hostname certificate control.
>
>     I will probably patch StrictSSLProtocolSocketFactory class to
>     permit generic certificates working.
>
>     With CAS V2 server, I controled certificate with a keystore on
>     tomcat startup :
>     CATALINA_OPTS="-Djavax.net.ssl.trustStore=/etc/cert/portail.keystore"
>     ; that doesn't work now.
>
>     Vincent
>
>     Scott Battaglia a écrit :
>>     CAS 3 checks the host name very strictly (i.e. * doesn't work). 
>>     You can disable this check by setting the property
>>     useStrictHostNameChecking to false on the
>>     HttpClient3FactoryBean.  However, that means while it will check
>>     that the certificate is valid, it will not match the host name to
>>     the host name on the certificate.
>>
>>     -Scott
>>
>>     On 1/8/07, *Vincent MATHIEU* <vincent.mathieu at univ-nancy2.fr
>>     <mailto:vincent.mathieu at univ-nancy2.fr>> wrote:
>>
>>         Hello,
>>
>>
>>         We used cas-server V2 for several years, and we would like to
>>         migrate
>>         towards cas-server  V3.
>>
>>         cas-server V3 work's correctly fot authenticating (via LDAP), but
>>         doesn't work in CAS proxy mode.
>>
>>         Here is a log (catalina.out) from cas V3 server :
>>
>>         2007-01-08 21:25:22,248 INFO
>>         [org.jasig.cas.authentication.AuthenticationManagerImpl] -
>>         <AuthenticationHandler:
>>         org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler
>>         successfully authenticated the user which provided the following
>>         credentials: vmathieu>
>>
>>         2007-01-08 21:25:22,279 INFO
>>         [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted
>>         service
>>         ticket [ST-2-bjB6dheW1LDH0Fl2fXvYjTqYDlEbD50L1mk-20] for service
>>         [http://esupdev1.univ-nancy2.fr/package/Login] for user
>>         [vmathieu]>
>>
>>         2007-01-08 21:25:26,974 ERROR
>>         [org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler
>>         ]
>>         - <javax.net.ssl.SSLPeerUnverifiedException: HTTPS hostname
>>         invalid:
>>         expected 'esupdev1.univ-nancy2.fr
>>         <http://esupdev1.univ-nancy2.fr>', received '*.univ-nancy2.fr
>>         <http://nancy2.fr>'>
>>         javax.net.ssl.SSLPeerUnverifiedException: HTTPS hostname invalid:
>>         expected 'esupdev1.univ-nancy2.fr
>>         <http://esupdev1.univ-nancy2.fr>', received '*.univ-
>>         nancy2.fr <http://nancy2.fr>' at
>>         org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory.verifyHostname
>>         (StrictSSLProtocolSocketFactory.java:303)
>>
>>         We use 'generic' ssl certificate for our https server :
>>         CN=*.univ-nancy2.fr <http://nancy2.fr> (and not CN=
>>         auth.univ-nancy2.fr <http://auth.univ-nancy2.fr>).
>>
>>         The problem seems to come from.
>>         CAS serveur V2 work's correctly with same certificates.
>>         Is there a simple solution to treat the problem, or do I have
>>         to patch
>>         the code ?
>>
>>
>>         Thank's
>>
>>
>>         Vincent
>>
>>         --
>>         Vincent MATHIEU
>>         Université Nancy 2 - CRI
>>         Equipe système et réseaux
>>         tel : 03 54 50 36 56
>>         coordonnées :
>>         http://www.univ-nancy2.fr/ANNUAIRE/PERS/detail_pres.php?uid=vmathieu
>>         <http://www.univ-nancy2.fr/ANNUAIRE/PERS/detail_pres.php?uid=vmathieu>
>>
>>
>
>     _______________________________________________
>     Yale CAS mailing list
>     cas at tp.its.yale.edu <mailto:cas at tp.its.yale.edu>
>     http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>   


-- 
 > Université Nancy 2 <http://www.univ-nancy2.fr/> 	
Pôle Lorrain de Gestion
13 rue du Maréchal Ney
CO 30075
54036 NANCY Cedex
 > Téléphone 	03.54.50.36.54
 > Fax 	03.54.50.36.51

Julien Marchal
Equipe réseau - CRI

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070202/6a174f7c/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nu_nancy2.png
Type: image/png
Size: 1829 bytes
Desc: not available
Url : http://tp.its.yale.edu/pipermail/cas/attachments/20070202/6a174f7c/attachment.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tel.png
Type: image/png
Size: 1044 bytes
Desc: not available
Url : http://tp.its.yale.edu/pipermail/cas/attachments/20070202/6a174f7c/attachment-0001.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fax.png
Type: image/png
Size: 932 bytes
Desc: not available
Url : http://tp.its.yale.edu/pipermail/cas/attachments/20070202/6a174f7c/attachment-0002.png 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: diff
Url: http://tp.its.yale.edu/pipermail/cas/attachments/20070202/6a174f7c/attachment.pl

More information about the cas mailing list