: CAS proxy validation failure - Configured TLS trust engine was not used

[Cantor, Scott]

On 8/18/20, 3:15 PM, "users on behalf of Paul B. Henson" <users-bounces at shibboleth.net on behalf of henson at cpp.edu> wrote:

>    So that didn't work out. Is there any way to create an instance of httpclient that uses the
> org.apache.commons.httpclient.SimpleHttpConnectionManager instead of the pooled one? That would work around 
> the wedged socket bug and I would also be curious what would happen with this validation issue bug in that case. It
> looks like the vanilla factory is org.apache.http.impl.client.HttpClientBuilder?

We have our own builder, net.shibboleth.utilities.java.support.httpclient.HttpClientBuilder, and I believe there's no way to influence that property in XML and without overriding all of the other behavior used for security.

But yes, I would guess that the pooling code in that library has bugs and that's probably involved. We are back a version also.

> But I'm not quite sure how to instantiate it with XML, all of the examples I can find do it with actual Java code.

They can't be done easily with XML, that's why we wrapped them. Java people like to use fluent design now, and fluent designs don't work with Spring.

>    Sure, it's pretty simple to set up; you just need to add a few beans to the relying party definition:

I can look at confguring it this week; we'd have to coordinate a test I guess since those clients point to your IdP and not ours.

-- Scott