Cas20ProxyRetriever and Self Signed Certs
Bill Bailey
Bill.Bailey at northlandchurch.net
Thu Jun 21 11:18:28 EDT 2007
Scott,
The disconnect during handshake happened only after I set strict and
useStrictHostNameChecking to false. Should I even need to set these to
false? (I notice they are not set in the sample client configuration)
If I have the remote (in this case, it isn't actually remote, it's the
same server where the app is running) certificate in my JVM trustStore
(cacerts), shouldn't a self-signed certificate work just like a CA
certified one? And the certificate is there because the ACEGI
CasProxyTicketValidator is working like a charm now.
I will add the debug you suggested to see if I can find out any more,
but I wanted to make sure I should even have to be setting the strict
flags to false in the first place.
Thanks.
Bill Bailey
Senior Developer / DBA
Northland, A Church Distributed
________________________________
From: cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu]
On Behalf Of Scott Battaglia
Sent: Thursday, June 21, 2007 11:04 AM
To: Yale CAS mailing list
Subject: Re: Cas20ProxyRetriever and Self Signed Certs
The CAS Proxy Retriever obtains its certificate information from the JVM
which is why you see no additional documentation for it.
Your remote server appears to have closed its connection during the
handshake.
You can try and turn debug on for the JVM with the following:
-Djavax.net.debug=ssl,handshake,record
-Scott
On 6/21/07, Bill Bailey < Bill.Bailey at northlandchurch.net
<mailto:Bill.Bailey at northlandchurch.net> > wrote:
Hi,
I resolved my earlier problems with HTTPS and SSL certificates and have
gotten as far as obtaining the proxy granting ticket, but just when I
thought I was past my HTTPS woes, I have run into another SSL related
issue.
Right now I am using self-signed certificates and will be for a while.
I am trying to use Cas20ProxyRetriever to retrieve the proxy ticket and
it requires an Apache Commons HttpClient to operate. I have tried both
by using a default HttpClient directly injected and by using the
HttpClient3FactoryBean. I have not yet found a combination that accepts
my self-signed certificates. I get a
javax.net.ssl.SSLPeerUnverifiedException each time I invoke
getProxyTicketIdFor and pass the httpClient and service name.
I assume I need to somehow point the httpClient to a trust store
containing the self signed certificate from the CAS server, but I
haven't yet been able to see how to do that. The CAS server certificate
has already been loaded into the JRE trust store and the other CAS
client code (e.g. the proxyValidate call to validate the original
service ticket) seems to be working ok, but my custom use of
Cas20ProxyRetriever is not.
The documentation on HttpClient3FactoryBean is pretty sparse so I just
made a guess and tried setting strict and useStrictHostNameChecking to
false. The error changed from javax.net.ssl.SSLPeerUnverifiedException
to
javax.net.ssl.SSLHandshakeException: Remote host closed connection
during handshake
Caused by: java.io.EOFException: SSL peer shut down incorrectly
What do I need to do to make this work?
Help?
Bill Bailey
Senior Developer / DBA
Northland, A Church Distributed
_______________________________________________
Yale CAS mailing list
cas at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas
--
-Scott Battaglia
LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070621/86a72f5c/attachment.html
More information about the cas
mailing list