CAS test environment updated: Tomcat 8.5

Created by Baron Fujimoto
Last updated: May 31, 2018
1 min read

The CAS test environment (cas-test.its.hawaii.edu) has been updated.

As always, we encourage you to test your applications against the updated environment.

  •  Tomcat has been updated from 8.0.50 to 8.5.31

This is a somewhat significant update for the Java Servlet Container that the CAS application runs in. The Tomcat 8.0.x track is scheduled for EOL 2018-06-30.

This version supports TLSv1.1 and TLSv1.2. Notably, TLSv1.0 was previously supported, but is not in this update.

(warning) Some testers who've encountered handshake protocol errors have resolved the problem with the following (or equivalent) in their client configuration:

  • Tomcat
    • -Dhttps.protocols=TLSv1,TLSv1.2,TLSv1.1
      • As long you have at least one of the supported protocols (TLSv1.2,TLSv1.1) it should work
      • TLSv1 above is Tomcat's configuration string for TLSv1.0 (ignored by this update to our Tomcat)
  • PHP:

    • Set CURLOPT_SSLVERSION to 5 or 6 (or do not set CURLOPT_SSLVERSION)

      reported successful configuration change
      // curl_setopt($ch, CURLOPT_SSLVERSION, 4);
// curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, 'TLSv1');

    • PHP documentation recommends not setting CURLOPT_SSLVERSION

      • Comments suggest, "CURL_SSLVERSION_TLSv1_1 (5) or CURL_SSLVERSION_TLSv1_2 (6) only work for PHP versions using curl 7.34 or newer"
  • (info) Consider deprecating TLSv1.0 in your client configurations if possible

The following ciphers are supported as determined by SSL Labs' SSL server test:

TLS 1.2 (suites in server-preferred order)

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA

TLS 1.1 (suites in server-preferred order)

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA

Barring unforeseen problems, this update will be promoted to our production environment at a date yet to be determined.

We will advise before doing so.