cas-server V3 and generic https certificate

Vincent MATHIEU vincent.mathieu at univ-nancy2.fr
Mon Jan 29 14:05:17 EST 2007 

Thank's Scott,

but this modification is not sufficient.
HttpBasedServiceCredentialsAuthenticationHandler class is loaded after 
HttpClient3FactoryBean class.

HttpBasedServiceCredentialsAuthenticationHandler make also call to 
StrictSSLProtocolSocketFactory class, and crush  initialization of 
property useStrictHostNameChecking.

And it is dangerous to complete deactive hostname certificate control.

I will probably patch StrictSSLProtocolSocketFactory class to permit 
generic certificates working.

With CAS V2 server, I controled certificate with a keystore on tomcat 
startup :
CATALINA_OPTS="-Djavax.net.ssl.trustStore=/etc/cert/portail.keystore" ; 
that doesn't work now.

Vincent

Scott Battaglia a écrit :
> CAS 3 checks the host name very strictly (i.e. * doesn't work).  You 
> can disable this check by setting the property 
> useStrictHostNameChecking to false on the HttpClient3FactoryBean.  
> However, that means while it will check that the certificate is valid, 
> it will not match the host name to the host name on the certificate.
>
> -Scott
>
> On 1/8/07, *Vincent MATHIEU* <vincent.mathieu at univ-nancy2.fr 
> <mailto:vincent.mathieu at univ-nancy2.fr>> wrote:
>
>     Hello,
>
>
>     We used cas-server V2 for several years, and we would like to migrate
>     towards cas-server  V3.
>
>     cas-server V3 work's correctly fot authenticating (via LDAP), but
>     doesn't work in CAS proxy mode.
>
>     Here is a log (catalina.out) from cas V3 server :
>
>     2007-01-08 21:25:22,248 INFO
>     [org.jasig.cas.authentication.AuthenticationManagerImpl] -
>     <AuthenticationHandler:
>     org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler
>     successfully authenticated the user which provided the following
>     credentials: vmathieu>
>
>     2007-01-08 21:25:22,279 INFO
>     [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service
>     ticket [ST-2-bjB6dheW1LDH0Fl2fXvYjTqYDlEbD50L1mk-20] for service
>     [http://esupdev1.univ-nancy2.fr/package/Login] for user [vmathieu]>
>
>     2007-01-08 21:25:26,974 ERROR
>     [org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler
>     ]
>     - <javax.net.ssl.SSLPeerUnverifiedException: HTTPS hostname invalid:
>     expected 'esupdev1.univ-nancy2.fr
>     <http://esupdev1.univ-nancy2.fr>', received '*.univ-nancy2.fr
>     <http://nancy2.fr>'>
>     javax.net.ssl.SSLPeerUnverifiedException: HTTPS hostname invalid:
>     expected 'esupdev1.univ-nancy2.fr
>     <http://esupdev1.univ-nancy2.fr>', received '*.univ- nancy2.fr
>     <http://nancy2.fr>' at
>     org.apache.commons.httpclient.contrib.ssl.StrictSSLProtocolSocketFactory.verifyHostname
>     (StrictSSLProtocolSocketFactory.java:303)
>
>     We use 'generic' ssl certificate for our https server :
>     CN=*.univ-nancy2.fr <http://nancy2.fr> (and not
>     CN=auth.univ-nancy2.fr <http://auth.univ-nancy2.fr>).
>
>     The problem seems to come from.
>     CAS serveur V2 work's correctly with same certificates.
>     Is there a simple solution to treat the problem, or do I have to patch
>     the code ?
>
>
>     Thank's
>
>
>     Vincent
>
>     --
>     Vincent MATHIEU
>     Université Nancy 2 - CRI
>     Equipe système et réseaux
>     tel : 03 54 50 36 56
>     coordonnées :
>     http://www.univ-nancy2.fr/ANNUAIRE/PERS/detail_pres.php?uid=vmathieu
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070129/49647986/attachment.html

More information about the cas mailing list