Cas20ProxyRetriever and Self Signed Certs

Thu Jun 21 14:51:43 EDT 2007

Well, the debug information hasn't really helped at all. I can't see
anything in the logs that explains why it is failing.

If I just use the default HttpClient3FactoryBean the call
Cas20ProxyRetriever.getProxyTicketIdFor() fails with
SSLPeerUnverifiedException every time.

If I set the strict and/or useStrictHostNameChecking properties to
false, it fails with SSLHandshakeException instead.

In the latter case, I can see in the log where the socket is being
closed, but I see no explanation as to why.

I'm right back in the same untenable position I was in earlier in the
week. Sigh. The strange thing is that the CasProxyTicketValidator which
validates the original service ticket must be using HTTPS to connect to
and authenticate to the same server and it works. How can I be missing a
certificate or some configuration required to allow Cas20ProxyRetriever
to make the HTTPS call, and yet other Java code running in the same
application apparently has everything it needs.

I know I must be missing something simple, but I have no idea what it
is. Anyone have any ideas? Anyone actually have working Java code that
retrieves a proxy ticket? Surely such code exists ... can anyone point
me to some I can use as a model.

Thanks.

Bill Bailey

Senior Developer / DBA
Northland, A Church Distributed

________________________________

From: cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu]
On Behalf Of Scott Battaglia
Sent: Thursday, June 21, 2007 11:04 AM
To: Yale CAS mailing list
Subject: Re: Cas20ProxyRetriever and Self Signed Certs

The CAS Proxy Retriever obtains its certificate information from the JVM
which is why you see no additional documentation for it.

Your remote server appears to have closed its connection during the
handshake.

You can try and turn debug on for the JVM with the following:

-Djavax.net.debug=ssl,handshake,record

-Scott

On 6/21/07, Bill Bailey < Bill.Bailey at northlandchurch.net
<mailto:Bill.Bailey at northlandchurch.net> > wrote:

Hi,

I resolved my earlier problems with HTTPS and SSL certificates and have
gotten as far as obtaining the proxy granting ticket, but just when I
thought I was past my HTTPS woes, I have run into another SSL related
issue.

Right now I am using self-signed certificates and will be for a while. 

I am trying to use Cas20ProxyRetriever to retrieve the proxy ticket and
it requires an Apache Commons HttpClient to operate. I have tried both
by using a default HttpClient directly injected and by using the
HttpClient3FactoryBean. I have not yet found a combination that accepts
my self-signed certificates. I get a
javax.net.ssl.SSLPeerUnverifiedException each time I invoke
getProxyTicketIdFor and pass the httpClient and service name.

I assume I need to somehow point the httpClient to a trust store
containing the self signed certificate from the CAS server, but I
haven't yet been able to see how to do that. The CAS server certificate
has already been loaded into the JRE trust store and the other CAS
client code (e.g. the proxyValidate call to validate the original
service ticket) seems to be working ok, but my custom use of
Cas20ProxyRetriever is not.

The documentation on HttpClient3FactoryBean is pretty sparse so I just
made a guess and tried setting strict and useStrictHostNameChecking to
false. The error changed from javax.net.ssl.SSLPeerUnverifiedException
to 

javax.net.ssl.SSLHandshakeException: Remote host closed connection
during handshake

Caused by: java.io.EOFException: SSL peer shut down incorrectly

What do I need to do to make this work?

Help?

Bill Bailey

Senior Developer / DBA

Northland, A Church Distributed

_______________________________________________
Yale CAS mailing list
cas at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas

-- 
-Scott Battaglia

LinkedIn: http://www.linkedin.com/in/scottbattaglia 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070621/48bcc7b9/attachment.html 