cas-server V3 and generic https certificate
Scott Battaglia
scott.battaglia at gmail.com
Thu Jan 11 08:03:03 EST 2007
CAS 3 checks the host name very strictly (i.e. * doesn't work). You can
disable this check by setting the property useStrictHostNameChecking to
false on the HttpClient3FactoryBean. However, that means while it will
check that the certificate is valid, it will not match the host name to the
host name on the certificate.
-Scott
On 1/8/07, Vincent MATHIEU <vincent.mathieu at univ-nancy2.fr> wrote:
>
> Hello,
>
>
> We used cas-server V2 for several years, and we would like to migrate
> towards cas-server V3.
>
> cas-server V3 work's correctly fot authenticating (via LDAP), but
> doesn't work in CAS proxy mode.
>
> Here is a log (catalina.out) from cas V3 server :
>
> 2007-01-08 21:25:22,248 INFO
> [org.jasig.cas.authentication.AuthenticationManagerImpl] -
> <AuthenticationHandler:
> org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler
> successfully authenticated the user which provided the following
> credentials: vmathieu>
>
> 2007-01-08 21:25:22,279 INFO
> [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service
> ticket [ST-2-bjB6dheW1LDH0Fl2fXvYjTqYDlEbD50L1mk-20] for service
> [http://esupdev1.univ-nancy2.fr/package/Login] for user [vmathieu]>
>
> 2007-01-08 21:25:26,974 ERROR
> [
> org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler
> ]
> - <javax.net.ssl.SSLPeerUnverifiedException: HTTPS hostname invalid:
> expected 'esupdev1.univ-nancy2.fr', received '*.univ-nancy2.fr'>
> javax.net.ssl.SSLPeerUnverifiedException: HTTPS hostname invalid:
> expected 'esupdev1.univ-nancy2.fr', received '*.univ-nancy2.fr' at
>
> org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory.verifyHostname
> (StrictSSLProtocolSocketFactory.java:303)
>
> We use 'generic' ssl certificate for our https server :
> CN=*.univ-nancy2.fr (and not CN=auth.univ-nancy2.fr).
>
> The problem seems to come from.
> CAS serveur V2 work's correctly with same certificates.
> Is there a simple solution to treat the problem, or do I have to patch
> the code ?
>
>
> Thank's
>
>
> Vincent
>
> --
> Vincent MATHIEU
> Université Nancy 2 - CRI
> Equipe système et réseaux
> tel : 03 54 50 36 56
> coordonnées :
> http://www.univ-nancy2.fr/ANNUAIRE/PERS/detail_pres.php?uid=vmathieu
>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070111/0cf28990/attachment.html
More information about the cas
mailing list