Note
If you enable SSL 3.0 and TLS 1.0 -- for compatibility or any other reason -- you thereby make your application vulnerable to the serious threats against which TLSv1.1 and TLSv1.2 provide protection.
To enable the SSL 3.0 protocol for CAS, follow these steps:
Set the "
IncludeProtocols" array property in TLSSocketConnector to SSLv3:<Call name="addConnector"> <Arg> <New class="com.endeca.itl.jetty.TLSSocketConnector"> <Set name="Port"><SystemProperty name="com.endeca.cas.ssl.port"/></Set> <Set name="maxIdleTime">600000</Set> <Set name="keystore"><SystemProperty name="javax.net.ssl.keyStore"/></Set> <Set name="keyPassword"><SystemProperty name="javax.net.ssl.keyStorePassword"/></Set> <Set name="truststore"><SystemProperty name="javax.net.ssl.trustStore"/></Set> <Set name="trustPassword"><SystemProperty name="javax.net.ssl.trustStorePassword"/></Set> <Set name="needClientAuth">true</Set> <Set name="IncludeProtocols"> <Array type="java.lang.String"> <Item>SSLv3</Item> </Array> </Set> </New> </Arg> </Call>Open java.security file in %CAS_ROOT%/java/jre/lib/security.
Uncomment the "jdk.tls.disabledAlgorithms" property and disable all other protocols except SSLv3 "jdk.tls.disabledAlgorithms=TLSv1, TLSv1.1, TLSv1.2".
To enable the TLS 1.0 protocol for CAS, follow the same steps that you follow to enable SSL 3.0, with the following exceptions:
In
%CAS_ROOT%\..\workspace\conf\jetty.xmlmodify the item inIncludeProtocolsarray property inTLSSocketConnectorto TLSv1:<Set name="IncludeProtocols"> <Array type="java.lang.String"> <Item>TLSv1</Item> </Array> </Set>
In the
java.securityfile, the "jdk.tls.disabledAlgorithms" property must be changed to "jdk.tls.disabledAlgorithms=SSLv3, TLSv1.1, TLSv1.2".
