You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by John Lee <jh...@gmail.com> on 2017/07/26 08:19:55 UTC
[ApacheDS] Cannot establish TLS connection between spring-ldap client
and apacheds
Hello there,
I'm having a problem establishing a LDAPS connection between spring-ldap
client and apacheDS. Details are provided on stackoverflow, as this is the
official forum for spring-ldap and I assume the problem is client-side:
https://stackoverflow.com/questions/45232244/cannot-establish-tls-connection-between-spring-ldap-client-and-apacheds
However, is there any trouble-shooting I can do on apacheDS to try to get
to the root of the problem in TLS hand-shake? I've been following:
http://directory.apache.org/apacheds/basic-ug/3.3-enabling-ssl.html#troubleshooting
I'm a novice ApacheDS user.
Thanks,
//John.
Re: [ApacheDS] Cannot establish TLS connection between spring-ldap
client and apacheds
Posted by Emmanuel Lécharny <el...@gmail.com>.
Le 26/07/2017 à 18:57, John Lee a écrit :
> Thanks for your support guys.
>
> I was able to connect via LDAPS connection with Studio which presumably
> uses the Apache LDAP API?
Yes.
> Under : DN:
> ads-transportid=ldaps,ou=transports,ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=config
> I have setting :
>
> ads-enabledprotocols:TLSv1.2
Which is ok.
>
> I only just added this on Emmanuel's guidance, but I get the same problem.
> The Java LDAPS client is using oracle JDK8 which defaults to using the
> TLSv1.2 protocol.
>
> Yeh I followed through some of the google links. I noticed some references
> to similar problems happening more frequently with certain ciphers (
> http://apache-ignite-users.70518.x6.nabble.com/Random-SSL-unsupported-record-version-td8406.html),
> although in my case the connection always fails rather than fails randomly.
>
> I see a question raised in March in archives (
> http://mail-archives.apache.org/mod_mbox/directory-users/201703.mbox/browser
> - Problem with limiting ciphers for ldaps) about the possibility of
> restricting the ciphers used, as I was going to try and use a different
> cipher, maybe older less secure one just for test purposes to see if I get
> the same problem. However, I don't think this cipher restriction is
> supported in ApacheDS configuration?
>
> That archived question also asks how the cipher list is arrived at and if
> java.security specified providers are consulted to figure out the ciphers
> that are supported by the installed java version. For example, in my case
> Apache DS is running on openJdk 7 but my client is running on Oracle JDK 8.
> I'll try upgrading to use Oracle JDK 8 on the host for apache DS and see if
> it makes a difference.
Yes, try to run ApacheDS with Java 7.
I was a bit quick in my previous answer, btw. Clearly, the ClientHello
and ServerHello exchanges have been done properly, with
||TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384| being selected, and TLSv1.2
being used. Be sure that the server uses Java with the ||Unlimited Strength Jurisdiction Policy Files
(http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html).|
--
Emmanuel Lecharny
Symas.com
directory.apache.org
Re: [ApacheDS] Cannot establish TLS connection between spring-ldap
client and apacheds
Posted by John Lee <jh...@gmail.com>.
Thanks for your support guys.
I was able to connect via LDAPS connection with Studio which presumably
uses the Apache LDAP API?
Under : DN:
ads-transportid=ldaps,ou=transports,ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=config
I have setting :
ads-enabledprotocols:TLSv1.2
I only just added this on Emmanuel's guidance, but I get the same problem.
The Java LDAPS client is using oracle JDK8 which defaults to using the
TLSv1.2 protocol.
Yeh I followed through some of the google links. I noticed some references
to similar problems happening more frequently with certain ciphers (
http://apache-ignite-users.70518.x6.nabble.com/Random-SSL-unsupported-record-version-td8406.html),
although in my case the connection always fails rather than fails randomly.
I see a question raised in March in archives (
http://mail-archives.apache.org/mod_mbox/directory-users/201703.mbox/browser
- Problem with limiting ciphers for ldaps) about the possibility of
restricting the ciphers used, as I was going to try and use a different
cipher, maybe older less secure one just for test purposes to see if I get
the same problem. However, I don't think this cipher restriction is
supported in ApacheDS configuration?
That archived question also asks how the cipher list is arrived at and if
java.security specified providers are consulted to figure out the ciphers
that are supported by the installed java version. For example, in my case
Apache DS is running on openJdk 7 but my client is running on Oracle JDK 8.
I'll try upgrading to use Oracle JDK 8 on the host for apache DS and see if
it makes a difference.
On Wed, Jul 26, 2017 at 2:58 PM, Shawn McKinney <sm...@apache.org>
wrote:
>
> > On Jul 26, 2017, at 3:19 AM, John Lee <jh...@gmail.com> wrote:
> >
> > I'm having a problem establishing a LDAPS connection between spring-ldap
> > client and apacheDS. Details are provided on stackoverflow, as this is
> the
> > official forum for spring-ldap and I assume the problem is client-side:
> >
> > https://stackoverflow.com/questions/45232244/cannot-
> establish-tls-connection-between-spring-ldap-client-and-apacheds
>
> Nice writeup on overflwo. This error jumped out at me:
> Thread-8, handling exception: javax.net.ssl.SSLException: Unsupported
> record version Unknown-38.2
> %% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
> Thread-8, SEND TLSv1.2 ALERT: fatal, description = unexpected_message
>
> for which I googled:
> "javax.net.ssl.SSLException: Unsupported record version Unknown-38.2
> %% Invalidated”
>
> and found some hits. Have you chased those down?
>
> The other thing you can try is connecting with the Apache LDAP API instead
> of spring ldap. I am not suggesting that spring ldap’s apis are broken on
> TLS. I’m saying that’s apacheds + its own ldap api are a combination that
> has been tested by us here and we’re going to have better support for you.
>
> There’s some doc about the api and crypto stuff here:
> http://directory.apache.org/api/user-guide/5.1-ldaps.html
>
> Oh and welcome to the list. Good luck.
>
> Shawn
Re: [ApacheDS] Cannot establish TLS connection between spring-ldap client and apacheds
Posted by Shawn McKinney <sm...@apache.org>.
> On Jul 26, 2017, at 3:19 AM, John Lee <jh...@gmail.com> wrote:
>
> I'm having a problem establishing a LDAPS connection between spring-ldap
> client and apacheDS. Details are provided on stackoverflow, as this is the
> official forum for spring-ldap and I assume the problem is client-side:
>
> https://stackoverflow.com/questions/45232244/cannot-establish-tls-connection-between-spring-ldap-client-and-apacheds
Nice writeup on overflwo. This error jumped out at me:
Thread-8, handling exception: javax.net.ssl.SSLException: Unsupported record version Unknown-38.2
%% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
Thread-8, SEND TLSv1.2 ALERT: fatal, description = unexpected_message
for which I googled:
"javax.net.ssl.SSLException: Unsupported record version Unknown-38.2
%% Invalidated”
and found some hits. Have you chased those down?
The other thing you can try is connecting with the Apache LDAP API instead of spring ldap. I am not suggesting that spring ldap’s apis are broken on TLS. I’m saying that’s apacheds + its own ldap api are a combination that has been tested by us here and we’re going to have better support for you.
There’s some doc about the api and crypto stuff here:
http://directory.apache.org/api/user-guide/5.1-ldaps.html
Oh and welcome to the list. Good luck.
Shawn