=?Big5?B?tarOYA==?=: =?Big5?B?ILWqzmA=?=: MOD_AUTH_CAS: Could not perform SSL handshake

Andrew Ralph Feller, afelle1 afelle1 at lsu.edu
Wed Oct 22 09:13:21 EDT 2008 

The "Require valid-user" directive is very important because that notifies
Apache to prevent anyone who doesn't successfully pass authentication from
the content IIRC.  Try this, put in some invalid username and password with
that directive removed and see if it lets you in.  If so, then you need to
go back to the drawing board.

As far as certificate permissions, as long as the apache user can read it,
that is fine.

Once again, I will stress whether the proper SSL certificate is being used.

On 10/22/08 7:53 AM, "lobatt" <lobatt at 163.com> wrote:

> <Location "/casprotect/">
>  AuthType CAS
>  Require valid-user
> </Location>
> 
> I toke Require valid-user away, and my request succeed, so I think plain
> https is ok.
> My certificate's permission is 644, is that ok?
> 
> Best Regards,
> 
> Li Cheng
> 
> -----ÓʼþÔ­¼þ-----
> ·¢¼þÈË: cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu] ´ú
> ±í David Whitehurst
> ·¢ËÍʱ¼ä: 2008Äê10ÔÂ22ÈÕ 20:26
> ÊÕ¼þÈË: Yale CAS mailing list
> Ö÷Ìâ: Re: ´ð¸´: MOD_AUTH_CAS: Could not perform SSL handshake
> 
> You might setup your certificate file with Apache and see if a plain
> HTTPS request works?  I agree with Matt above that you should check
> permissions too.
> 
> 
> David
> 
> On 10/22/08, lobatt <lobatt at 163.com> wrote:
>> Thank you for your time.
>> 
>> I checked my configuration, there is no space ,it's must be a typo, I
>> replaced my domain name for security reason.
>> Below is my real configuration:
>> #******************************CAS client integration**************
>> LoadModule auth_cas_module modules/mod_auth_cas.so
>> CASCookiePath /tmp/cas/
>> CASloginURL https://sp.permis.pku.edu.cn/cas/login
>> CASValidateURL https://sp.permis.pku.edu.cn/cas/serviceValidate
>> CASCertificatePath
>> /home/ncpku/common/httpd-2.0.59/conf/sp.permis.pku.edu.cn.crt
>> <Location "/casprotect/">
>> AuthType CAS
>> Require valid-user
>> </Location>
>> #*******************************************************************
>> 
>> I turned debug level of apache to DEBUG and modified my log4j.properties
>> like below
>> log4j.logger.org.jasig.cas.web.flow=DEBUG
>> log4j.logger.org.jasig.cas.authentication=DEBUG
>> log4j.logger.org.jasig.cas.web.flow.TicketGrantingTicketCheckAction=DEBUG
>> log4j.logger.org.jasig.cas.services.DefaultServiceRegistry=DEBUG
>> log4j.logger.org.jasig.cas.services=DEBUG
>> 
>> and here is my log:
>> httpd error_log:
>> [Wed Oct 22 14:25:19 2008] [error] [client 162.105.67.102] MOD_AUTH_CAS:
>> Could not perform SSL handshake with sp.permis.pku.edu.cn (check
>> CASCertificatePath), referer:
>> 
> https://sp.permis.pku.edu.cn/cas/login?service=https%3a%2f%2fsp.permis.pku.e
>> du.cn%2fcasprotect%2f
>> 
>> cas.log: (also in attchment)
>> 2008-10-22 14:25:10,088 DEBUG
>> [org.jasig.cas.web.flow.InitialFlowSetupAction] - Action
>> 'InitialFlowSetupAction' beginning execution
>> 2008-10-22 14:25:10,091 INFO
> [org.jasig.cas.web.flow.InitialFlowSetupAction]
>> - Setting path for cookies to: /cas
>> 2008-10-22 14:25:10,099 DEBUG
>> [org.jasig.cas.web.flow.InitialFlowSetupAction] - Placing service in
>> FlowScope: https://sp.permis.pku.edu.cn/casprotect/
>> 2008-10-22 14:25:10,100 DEBUG
>> [org.jasig.cas.web.flow.InitialFlowSetupAction] - Action
>> 'InitialFlowSetupAction' completed execution; result is 'success'
>> 2008-10-22 14:25:10,132 DEBUG
>> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action
>> 'AuthenticationViaFormAction' beginning execution
>> 2008-10-22 14:25:10,135 DEBUG
>> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Executing setupForm
>> 2008-10-22 14:25:10,136 DEBUG
>> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Creating new form
>> object with name 'credentials'
>> 2008-10-22 14:25:10,136 DEBUG
>> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Creating new
> instance
>> of form object class [class
>> org.jasig.cas.authentication.principal.UsernamePasswordCredentials]
>> 2008-10-22 14:25:10,137 DEBUG
>> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Putting form object
>> of type [class
>> org.jasig.cas.authentication.principal.UsernamePasswordCredentials] in
> scope
>> Flow with name 'credentials'
>> 2008-10-22 14:25:10,137 DEBUG
>> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Creating new form
>> errors for object with name 'credentials'
>> 2008-10-22 14:25:10,148 DEBUG
>> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - No property editor
>> registrar set, no custom editors to register
>> 2008-10-22 14:25:10,152 DEBUG
>> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Putting form errors
>> instance in scope Flash
>> 2008-10-22 14:25:10,153 DEBUG
>> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action
>> 'AuthenticationViaFormAction' completed execution; result is 'success'
>> 2008-10-22 14:25:10,153 DEBUG
>> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action
>> 'AuthenticationViaFormAction' beginning execution
>> 2008-10-22 14:25:10,153 DEBUG
>> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action
>> 'AuthenticationViaFormAction' completed execution; result is 'success'
>> 2008-10-22 14:25:18,436 DEBUG
>> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action
>> 'AuthenticationViaFormAction' beginning execution
>> 2008-10-22 14:25:18,437 DEBUG
>> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Executing bind
>> 2008-10-22 14:25:18,437 DEBUG
>> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Found existing form
>> object with name 'credentials' of type [class
>> org.jasig.cas.authentication.principal.UsernamePasswordCredentials] in
> scope
>> Flow
>> 2008-10-22 14:25:18,437 DEBUG
>> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - No property editor
>> registrar set, no custom editors to register
>> 2008-10-22 14:25:18,442 DEBUG
>> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Binding allowed
>> request parameters in map['lt' ->
>> 
> '_c3E31A0C0-C329-DA8A-DDD2-9DB286EBDE0E_k20927939-E9B9-269E-9619-CE6C38036F8
>> 7', 'service' -> 'https://sp.permis.pku.edu.cn/casprotect/', '_eventId' ->
>> 'submit', 'password' -> '12345', 'submit' -> '??????', 'username' ->
> 'roey']
>> to form object with name 'credentials', pre-bind formObject toString =
>> [username: null]
>> 2008-10-22 14:25:18,443 DEBUG
>> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - (Any field is
>> allowed)
>> 2008-10-22 14:25:18,447 DEBUG
>> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Binding completed
> for
>> form object with name 'credentials', post-bind formObject toString =
>> [username: roey]
>> 2008-10-22 14:25:18,448 DEBUG
>> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - There are [0]
> errors,
>> details: []
>> 2008-10-22 14:25:18,448 DEBUG
>> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Executing
> validation
>> 2008-10-22 14:25:18,448 DEBUG
>> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Invoking validator
>> org.jasig.cas.validation.UsernamePasswordCredentialsValidator at 1533c8
>> 2008-10-22 14:25:18,451 DEBUG
>> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Validation
> completed
>> for form object
>> 2008-10-22 14:25:18,451 DEBUG
>> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - There are [0]
> errors,
>> details: []
>> 2008-10-22 14:25:18,451 DEBUG
>> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Putting form errors
>> instance in scope Flash
>> 2008-10-22 14:25:18,451 DEBUG
>> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action
>> 'AuthenticationViaFormAction' completed execution; result is 'success'
>> 2008-10-22 14:25:18,451 DEBUG
>> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action
>> 'AuthenticationViaFormAction' beginning execution
>> 2008-10-22 14:25:18,452 DEBUG
>> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Found existing form
>> object with name 'credentials' of type [class
>> org.jasig.cas.authentication.principal.UsernamePasswordCredentials] in
> scope
>> Flow
>> 2008-10-22 14:25:19,270 INFO
>> [org.jasig.cas.authentication.AuthenticationManagerImpl] -
>> AuthenticationHandler:
>> org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler
> successfully
>> authenticated the user which provided the following credentials:
> [username:
>> roey]
>> 2008-10-22 14:25:19,271 DEBUG
>> 
> [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincip
>> alResolver] - Attempting to resolve a principal...
>> 2008-10-22 14:25:19,271 DEBUG
>> 
> [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincip
>> alResolver] - Creating SimplePrincipal for [roey]
>> 2008-10-22 14:25:19,283 DEBUG
>> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action
>> 'AuthenticationViaFormAction' completed execution; result is 'success'
>> 2008-10-22 14:25:19,283 DEBUG
>> [org.jasig.cas.web.flow.SendTicketGrantingTicketAction] - Action
>> 'SendTicketGrantingTicketAction' beginning execution
>> 2008-10-22 14:25:19,284 DEBUG
>> [org.jasig.cas.web.flow.SendTicketGrantingTicketAction] - Action
>> 'SendTicketGrantingTicketAction' completed execution; result is 'success'
>> 2008-10-22 14:25:19,284 DEBUG
>> [org.jasig.cas.web.flow.GenerateServiceTicketAction] - Action
>> 'GenerateServiceTicketAction' beginning execution
>> 2008-10-22 14:25:19,286 INFO
>> [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket
>> [ST-1-ZDZ5aL4YpjVdRxWJenD3-cas] for service
>> [https://sp.permis.pku.edu.cn/casprotect/] for user [roey]
>> 2008-10-22 14:25:19,287 DEBUG
>> [org.jasig.cas.web.flow.GenerateServiceTicketAction] - Action
>> 'GenerateServiceTicketAction' completed execution; result is 'success'
>> 
>> 
>> -----ÓʼþÔ­¼þ-----
>> ·¢¼þÈË: cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu]
> ´ú
>> ±í Smith, Matthew J.
>> ·¢ËÍʱ¼ä: 2008Äê10ÔÂ21ÈÕ 20:27
>> ÊÕ¼þÈË: Yale CAS mailing list
>> Ö÷Ìâ: Re: MOD_AUTH_CAS: Could not perform SSL handshake
>> 
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> 
>> Perhaps it is simply the copy & paste into the email, but I notice a few
>> spaces in the paths of your config.  Could you verify that those are not
>> in your real configuration?
>> 
>> Is mydomain.crt the signing CA for your CAS server's certificate?
>> 
>> Is mydomain.crt readable by the user the Apache daemon is running as?
>> 
>> Could you enable CAS debugging and Apache debugging, and send the extra
>> debugging information here?
>> 
>> 
>> - -Matt
>> 
>> lobatt wrote:
>>> Dear list:
>>> 
>>>          I have deployed a testing CAS server to protect a httpd
>>> Location, I can login in CAS server successfully, but after being
>>> automatically redirected to the protect location, it always return a 401
>>> error page to me.
>>> 
>>> 
>>> 
>>> I checked my log:
>>> 
>>> In http log:
>>> 
>>>  - - [21/Oct/2008:14:07:40 +0800] "GET
>>> /casprotect/?ticket=ST-24-L3WtJybA9GIJNa4ASyYJ-cas HTTP/1.1" 401 564
>>> 
>>> In cas log:
>>> 
>>> 2008-10-21 14:07:40,151 INFO
>>> [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service
>>> ticket [ST-24-L3WtJybA9GIJNa4
>>> 
>>> ASyYJ-cas] for service [https://sp.permis.pku.edu.cn/casprotect/] for
>>> user [Roey]
>>> 
>>> 2008-10-21 14:22:08,272 INFO
>>> [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] -
>>> Starting cleaning of expi
>>> 
>>> red tickets from ticket registry at [Tue Oct 21 14:22:08 CST 2008]
>>> 
>>> 
>>> 
>>> my mod_auth_cas configuration:
>>> 
>>> LoadModule auth_cas_module modules/mod_auth_cas.so
>>> 
>>> CASCookiePath /tmp/cas/
>>> 
>>> CASloginURL https://mydomain /cas/login
>>> 
>>> CASValidateURL https:// mydomain /cas/serviceValidate
>>> 
>>> CASCertificatePath /home/ncpku/common/httpd-2.0.59/conf/ mydomain.crt
>>> 
>>> <Location "/casprotect/">
>>> 
>>> AuthType CAS
>>> 
>>> Require valid-user
>>> 
>>> </Location>
>>> 
>>> 
>>> 
>>> I checked my CertificatePath, and I am sure that is right.
>>> 
>>> Is there any other possibility?
>>> 
>>> 
>>> 
>>> Best regards,
>>> 
>>> Li Cheng
>>> 
>>> 
>>> ------------------------------------------------------------------------
>>> 
>>> _______________________________________________
>>> Yale CAS mailing list
>>> cas at tp.its.yale.edu
>>> http://tp.its.yale.edu/mailman/listinfo/cas
>> 
>> 
>> - --
>> Matthew J. Smith
>> University of Connecticut ITS
>> matt.smith at uconn.edu
>> PGP KeyID: 0xE9C5244E
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.6 (GNU/Linux)
>> 
>> iD8DBQFI/cqmGP63pOnFJE4RApgoAKCvr6dwN9JJ9UoB6Kswyz46G04ptwCfchdd
>> kISrC2dQDweyubCquluMLLU=
>> =VZuH
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> Yale CAS mailing list
>> cas at tp.its.yale.edu
>> http://tp.its.yale.edu/mailman/listinfo/cas
>> 
>> _______________________________________________
>> Yale CAS mailing list
>> cas at tp.its.yale.edu
>> http://tp.its.yale.edu/mailman/listinfo/cas
>> 
>> 
>> 
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
> 
> 
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas

-- 
Andrew R. Feller, Analyst
Information Technology Services
200 Fred Frey Building
Louisiana State University
Baton Rouge, LA 70803
(225) 578-3737 (Office)
(225) 578-6400 (Fax)

More information about the cas mailing list