AppScan扫描CAS所在的tomcat,检查出"支持不推荐使用的 SSL 版本",于是在tomcat中设置
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="200" SSLEnabled="true" scheme="https" secure="true"
keystoreFile="/opt/neu/keystore" keystorePass="123456"
clientAuth="false" sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2" />
此时CAS的客户端报错
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
根据这篇文章 https://blogs.oracle.com/java-platform-group/diagnosing-tls,-ssl,-and-https 客户端的jdk1.7默认不支持TLSv1.2,需要添加-Dhttps.protocols=TLSv1.2系统属性