You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by Kiran Ayyagari <ka...@apache.org> on 2014/03/18 03:33:04 UTC
Re: LdapNetworkConnection - SSL handshake failed
On Tue, Mar 18, 2014 at 6:36 AM, Flavio Mattos <fl...@gmail.com>wrote:
> Hi guys..
>
> I have been trying to connect to an open ldap server using ssl/ldaps
> I can connect to that server using apache studio(via ldaps) and I would
> like to connect to the same server using the apache api.
>
> This is the code... One detail is that I generated the key in the server
> using openssl
>
>
> Then I have done some research and some people say that I need to generate
> a key in the java pattern.. so then I generated a PKCS #12 key store using
> something like
>
> you don't need to do this unless you want your client to be verified with
the server
> openssl pkcs12 -export -in cert.pem -inkey key.pem > server.p12
> and then
> keytool -importkeystore -srckeystore server.p12 -destkeystore server.jks
> -srcstoretype pkcs12
>
>
> I have attached the stacktrace..
> The exception happens in the bind method
>
> public static void initConnection() throws LdapException, IOException {
>
> LdapConnection conn ...
>
> if (conn == null) {
> LdapConnectionConfig connectionConfig = new
> LdapConnectionConfig();
> KeyManagerFactory keyManagerFactory = null;
> try {
>
> FileInputStream fis = new FileInputStream("server.jks");
>
>
> keyManagerFactory =
> KeyManagerFactory.getInstance("SunX509");
> KeyStore keyStore =
> KeyStore.getInstance(KeyStore.getDefaultType());
> char[] password = new String("mykeyPass").toCharArray();
>
> keyStore.load(fis, password);
>
> keyManagerFactory.init(keyStore, password);
>
> keyManagerFactory.getKeyManagers();
>
> connectionConfig.setKeyManagers(keyManagerFactory.getKeyManagers());
>
> } catch (NoSuchAlgorithmException ex) {
> ex.printStackTrace(System.out);
> } catch (KeyStoreException ex) {
> ex.printStackTrace(System.out);
> } catch (UnrecoverableKeyException ex) {
> ex.printStackTrace(System.out);
> } catch (CertificateException ex) {
> ex.printStackTrace(System.out);
> }
>
>
just drop all the above KeyManager code and the client will work.
> connectionConfig.setLdapHost("myhost");
> connectionConfig.setLdapPort(636);
> connectionConfig.setName("cn=Manager,dc=example,dc=com");
> connectionConfig.setCredentials("mypass");
> connectionConfig.setUseSsl(true);
> connectionConfig.setSslProtocol("SSLv3");
> conn = new LdapNetworkConnection(connectionConfig);
>
> conn.connect();
> conn.bind();
>
> }
>
> note that by default the client will trust any X509 certificate used by
the server, if you want
to restrict it then a custom trust manager must be provided and set using
connectionConfig.setTrustManagers()
> Thanks
> Flavio
>
--
Kiran Ayyagari
http://keydap.com
Re: LdapNetworkConnection - SSL handshake failed
Posted by Flavio Mattos <fl...@gmail.com>.
Kiran.. thank you so much for your time.. it worked!..
I am posting the code.. just in case someone needs it..
public static void initConnection() throws LdapException, IOException {
if (conn == null) {
LdapConnectionConfig connectionConfig = new
LdapConnectionConfig();
connectionConfig.setTrustManagers(new
NoVerificationTrustManager());
connectionConfig.setLdapHost("myhost");
connectionConfig.setLdapPort(636);
connectionConfig.setName("cn=Manager,dc=example,dc=com");
connectionConfig.setCredentials("mypass");
connectionConfig.setSslProtocol("SSLv3");
connectionConfig.setUseSsl(true);
conn = new LdapNetworkConnection(connectionConfig);
conn.connect();
}
}
On Tue, Mar 18, 2014 at 10:30 AM, Kiran Ayyagari <ka...@apache.org>wrote:
> On Tue, Mar 18, 2014 at 10:53 PM, Flavio Mattos <flaviomattos86@gmail.com
> >wrote:
>
> > here it is.. it was attached with the last email as well...
> >
> > attachments get stripped by ASF mailer
>
> > Thanks
> >
> > 513 [NioProcessor-1] WARN
> > org.apache.directory.ldap.client.api.LdapNetworkConnection - SSL
> handshake
> > failed.
> > javax.net.ssl.SSLHandshakeException: SSL handshake failed.
> > at
> org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:487)
> > at
> >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417)
> > at
> >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47)
> > at
> >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:765)
> > at
> >
> >
> org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:109)
> > at
> >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417)
> > at
> >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:410)
> > at
> >
> >
> org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:710)
> > at
> >
> >
> org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:664)
> > at
> >
> >
> org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:653)
> > at
> >
> >
> org.apache.mina.core.polling.AbstractPollingIoProcessor.access$600(AbstractPollingIoProcessor.java:67)
> > at
> >
> >
> org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:1124)
> > at
> >
> >
> org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
> > at
> >
> >
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> > at
> >
> >
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> > at java.lang.Thread.run(Thread.java:724)
> > Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
> > at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1362)
> > at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513)
> > at
> sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1177)
> > at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1149)
> > at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
> > at org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:578)
> > at
> >
> org.apache.mina.filter.ssl.SslHandler.messageReceived(SslHandler.java:351)
> > at
> org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:468)
> > ... 15 more
> > Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
> > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1683)
> > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:278)
> > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
> > at
> >
> >
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
> > at
> >
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
> > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
> > at sun.security.ssl.Handshaker$1.run(Handshaker.java:808)
> > at sun.security.ssl.Handshaker$1.run(Handshaker.java:806)
> > at java.security.AccessController.doPrivileged(Native Method)
> > at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1299)
> > at org.apache.mina.filter.ssl.SslHandler.doTasks(SslHandler.java:759)
> > at org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:544)
> > ... 17 more
> > Caused by: sun.security.validator.ValidatorException: PKIX path building
> > failed: sun.security.provider.certpath.SunCertPathBuilderException:
> unable
> > to find valid certification path to requested target
> >
> this is happening due to the default TrustManager set by default in
> LdapConnectionConfig
>
> > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
> > at
> >
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
> > at sun.security.validator.Validator.validate(Validator.java:260)
> > at
> >
> >
> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
> > at
> >
> >
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:283)
> > at
> >
> >
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:138)
> > at
> >
> >
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1328)
> > ... 25 more
> > Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> > unable to find valid certification path to requested target
> > at
> >
> >
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
> > at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
> > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
> > ... 31 more
> > 714 [main] ERROR
> org.apache.directory.ldap.client.api.LdapNetworkConnection
> > - Message failed : something wrong has occurred
> >
> org.apache.directory.ldap.client.api.exception.InvalidConnectionException:
> > SSL handshake failed.
> > at
> >
> >
> org.apache.directory.ldap.client.api.LdapNetworkConnection.writeRequest(LdapNetworkConnection.java:3939)
> > at
> >
> >
> org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1178)
> > at
> >
> >
> org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1076)
> > at
> >
> >
> org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:934)
> > at com.hyperwallet.ldap.connection.SandBox.main(SandBox.java:57)
> >
> >
> >
> >
> > On Tue, Mar 18, 2014 at 10:21 AM, Kiran Ayyagari <kayyagari@apache.org
> > >wrote:
> >
> > > On Tue, Mar 18, 2014 at 10:44 PM, Flavio Mattos <
> > flaviomattos86@gmail.com
> > > >wrote:
> > >
> > > > Hi Kiran.. thank you for replying my message...
> > > >
> > > > I tried to do what you suggested and it did not work. I have attached
> > the
> > > > stack trace.. it keeps giving me LdapNetworkConnection - SSL
> handshake
> > > > failed.
> > > >
> > > please post the stacktrace as well
> > >
> > > >
> > > > public static void initConnection() throws LdapException,
> IOException {
> > > > if (conn == null) {
> > > > LdapConnectionConfig connectionConfig = new
> > > > LdapConnectionConfig();
> > > > connectionConfig.setLdapHost("myhost");
> > > > connectionConfig.setLdapPort(636);
> > > > connectionConfig.setName("cn=Manager,dc=example,dc=com");
> > > > connectionConfig.setCredentials("mypass");
> > > > connectionConfig.setUseSsl(true);
> > > > connectionConfig.setSslProtocol("SSLv3");
> >
> add the below line here
> connectionConfig.setTrustManagers(new NoVerificationTrustManager()); // add
> the appropriate import
>
> > > > conn = new LdapNetworkConnection(connectionConfig);
> > > >
> > > > conn.connect();
> > > > conn.bind();
> > > >
> > > > }
> > > > }
> > > >
> > > > I also tried the following code using tls and trustmanagers but this
> > time
> > > > it gives me a Protocol error
> > > >
> >
> the same fix(mentioned above) will work here, and also for TLS you _should_
> use the non-SSL port
>
> > > > org.apache.directory.api.ldap.model.exception.LdapOperationException:
> > > > PROTOCOL_ERROR: The server will disconnect!
> > > > at
> > > >
> > >
> >
> org.apache.directory.ldap.client.api.LdapNetworkConnection.startTls(LdapNetworkConnection.java:3678)
> > > >
> > > > public static void initConnection() throws LdapException,
> IOException {
> > > >
> > > >
> > > > if (conn == null) {
> > > > LdapConnectionConfig connectionConfig = new
> > > > LdapConnectionConfig();
> > > >
> > > > try {
> > > >
> > > > FileInputStream fis = new
> > FileInputStream("server.jks");
> > > >
> > > > TrustManagerFactory tmf =
> > > >
> > >
> >
> TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
> > > >
> > > > KeyStore keyStore =
> > > > KeyStore.getInstance(KeyStore.getDefaultType());
> > > >
> > > > char[] password = new
> > String("myCertPass").toCharArray();
> > > >
> > > > keyStore.load(fis, password);
> > > >
> > > > tmf.init(keyStore);
> > > >
> > > >
> > > connectionConfig.setTrustManagers(tmf.getTrustManagers());
> > > >
> > > > } catch (NoSuchAlgorithmException ex) {
> > > > ex.printStackTrace(System.out);
> > > > } catch (KeyStoreException ex) {
> > > > ex.printStackTrace(System.out);
> > > > } catch (CertificateException ex) {
> > > > ex.printStackTrace(System.out);
> > > > }
> > > >
> > > > connectionConfig.setLdapHost("myhost");
> > > > connectionConfig.setLdapPort(636);
> > > > connectionConfig.setName("cn=Manager,dc=example,dc=com");
> > > > connectionConfig.setCredentials("mypass");
> > > > connectionConfig.setSslProtocol("SSLv3");
> > > > connectionConfig.setUseTls(true);
> > > > conn = new LdapNetworkConnection(connectionConfig);
> > > > conn.connect();
> > > > conn.startTls();
> > > >
> > > > }
> > > >
> > > > }
> > > >
> > > >
> > > > Thanks in advance
> > > >
> > > > Flavio
> > > >
> > > >
> > > > On Mon, Mar 17, 2014 at 7:33 PM, Kiran Ayyagari <
> kayyagari@apache.org
> > > >wrote:
> > > >
> > > >> On Tue, Mar 18, 2014 at 6:36 AM, Flavio Mattos <
> > > flaviomattos86@gmail.com
> > > >> >wrote:
> > > >>
> > > >> > Hi guys..
> > > >> >
> > > >> > I have been trying to connect to an open ldap server using
> ssl/ldaps
> > > >> > I can connect to that server using apache studio(via ldaps) and I
> > > would
> > > >> > like to connect to the same server using the apache api.
> > > >> >
> > > >> > This is the code... One detail is that I generated the key in the
> > > server
> > > >> > using openssl
> > > >> >
> > > >> >
> > > >> > Then I have done some research and some people say that I need to
> > > >> generate
> > > >> > a key in the java pattern.. so then I generated a PKCS #12 key
> > store
> > > >> using
> > > >> > something like
> > > >> >
> > > >> > you don't need to do this unless you want your client to be
> verified
> > > >> with
> > > >> the server
> > > >>
> > > >> > openssl pkcs12 -export -in cert.pem -inkey key.pem > server.p12
> > > >> > and then
> > > >> > keytool -importkeystore -srckeystore server.p12 -destkeystore
> > > server.jks
> > > >> > -srcstoretype pkcs12
> > > >> >
> > > >> >
> > > >> > I have attached the stacktrace..
> > > >> > The exception happens in the bind method
> > > >> >
> > > >> > public static void initConnection() throws LdapException,
> > IOException
> > > {
> > > >> >
> > > >> > LdapConnection conn ...
> > > >> >
> > > >> > if (conn == null) {
> > > >> > LdapConnectionConfig connectionConfig = new
> > > >> > LdapConnectionConfig();
> > > >> > KeyManagerFactory keyManagerFactory = null;
> > > >> > try {
> > > >> >
> > > >> > FileInputStream fis = new
> > > FileInputStream("server.jks");
> > > >> >
> > > >> >
> > > >> > keyManagerFactory =
> > > >> > KeyManagerFactory.getInstance("SunX509");
> > > >> > KeyStore keyStore =
> > > >> > KeyStore.getInstance(KeyStore.getDefaultType());
> > > >> > char[] password = new
> > > String("mykeyPass").toCharArray();
> > > >> >
> > > >> > keyStore.load(fis, password);
> > > >> >
> > > >> > keyManagerFactory.init(keyStore, password);
> > > >> >
> > > >> > keyManagerFactory.getKeyManagers();
> > > >> >
> > > >> >
> connectionConfig.setKeyManagers(keyManagerFactory.getKeyManagers());
> > > >> >
> > > >> > } catch (NoSuchAlgorithmException ex) {
> > > >> > ex.printStackTrace(System.out);
> > > >> > } catch (KeyStoreException ex) {
> > > >> > ex.printStackTrace(System.out);
> > > >> > } catch (UnrecoverableKeyException ex) {
> > > >> > ex.printStackTrace(System.out);
> > > >> > } catch (CertificateException ex) {
> > > >> > ex.printStackTrace(System.out);
> > > >> > }
> > > >> >
> > > >> >
> > > >> just drop all the above KeyManager code and the client will work.
> > > >>
> > > >> > connectionConfig.setLdapHost("myhost");
> > > >> > connectionConfig.setLdapPort(636);
> > > >> >
> > connectionConfig.setName("cn=Manager,dc=example,dc=com");
> > > >> > connectionConfig.setCredentials("mypass");
> > > >> > connectionConfig.setUseSsl(true);
> > > >> > connectionConfig.setSslProtocol("SSLv3");
> > > >> > conn = new LdapNetworkConnection(connectionConfig);
> > > >> >
> > > >> > conn.connect();
> > > >> > conn.bind();
> > > >> >
> > > >> > }
> > > >> >
> > > >> > note that by default the client will trust any X509 certificate
> used
> > > by
> > > >> the server, if you want
> > > >> to restrict it then a custom trust manager must be provided and set
> > > using
> > > >> connectionConfig.setTrustManagers()
> > > >>
> > > >> > Thanks
> > > >> > Flavio
> > > >> >
> > > >>
> > > >>
> > > >>
> > > >> --
> > > >> Kiran Ayyagari
> > > >> http://keydap.com
> > > >>
> > > >
> > > >
> > >
> > >
> > > --
> > > Kiran Ayyagari
> > > http://keydap.com
> > >
> >
>
>
>
> --
> Kiran Ayyagari
> http://keydap.com
>
Re: LdapNetworkConnection - SSL handshake failed
Posted by Kiran Ayyagari <ka...@apache.org>.
On Tue, Mar 18, 2014 at 10:53 PM, Flavio Mattos <fl...@gmail.com>wrote:
> here it is.. it was attached with the last email as well...
>
> attachments get stripped by ASF mailer
> Thanks
>
> 513 [NioProcessor-1] WARN
> org.apache.directory.ldap.client.api.LdapNetworkConnection - SSL handshake
> failed.
> javax.net.ssl.SSLHandshakeException: SSL handshake failed.
> at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:487)
> at
>
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417)
> at
>
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47)
> at
>
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:765)
> at
>
> org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:109)
> at
>
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417)
> at
>
> org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:410)
> at
>
> org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:710)
> at
>
> org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:664)
> at
>
> org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:653)
> at
>
> org.apache.mina.core.polling.AbstractPollingIoProcessor.access$600(AbstractPollingIoProcessor.java:67)
> at
>
> org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:1124)
> at
>
> org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
> at
>
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> at
>
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> at java.lang.Thread.run(Thread.java:724)
> Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
> at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1362)
> at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513)
> at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1177)
> at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1149)
> at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
> at org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:578)
> at
> org.apache.mina.filter.ssl.SslHandler.messageReceived(SslHandler.java:351)
> at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:468)
> ... 15 more
> Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1683)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:278)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
> at
>
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
> at
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
> at sun.security.ssl.Handshaker$1.run(Handshaker.java:808)
> at sun.security.ssl.Handshaker$1.run(Handshaker.java:806)
> at java.security.AccessController.doPrivileged(Native Method)
> at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1299)
> at org.apache.mina.filter.ssl.SslHandler.doTasks(SslHandler.java:759)
> at org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:544)
> ... 17 more
> Caused by: sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
> to find valid certification path to requested target
>
this is happening due to the default TrustManager set by default in
LdapConnectionConfig
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
> at
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
> at sun.security.validator.Validator.validate(Validator.java:260)
> at
>
> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
> at
>
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:283)
> at
>
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:138)
> at
>
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1328)
> ... 25 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> at
>
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
> ... 31 more
> 714 [main] ERROR org.apache.directory.ldap.client.api.LdapNetworkConnection
> - Message failed : something wrong has occurred
> org.apache.directory.ldap.client.api.exception.InvalidConnectionException:
> SSL handshake failed.
> at
>
> org.apache.directory.ldap.client.api.LdapNetworkConnection.writeRequest(LdapNetworkConnection.java:3939)
> at
>
> org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1178)
> at
>
> org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1076)
> at
>
> org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:934)
> at com.hyperwallet.ldap.connection.SandBox.main(SandBox.java:57)
>
>
>
>
> On Tue, Mar 18, 2014 at 10:21 AM, Kiran Ayyagari <kayyagari@apache.org
> >wrote:
>
> > On Tue, Mar 18, 2014 at 10:44 PM, Flavio Mattos <
> flaviomattos86@gmail.com
> > >wrote:
> >
> > > Hi Kiran.. thank you for replying my message...
> > >
> > > I tried to do what you suggested and it did not work. I have attached
> the
> > > stack trace.. it keeps giving me LdapNetworkConnection - SSL handshake
> > > failed.
> > >
> > please post the stacktrace as well
> >
> > >
> > > public static void initConnection() throws LdapException, IOException {
> > > if (conn == null) {
> > > LdapConnectionConfig connectionConfig = new
> > > LdapConnectionConfig();
> > > connectionConfig.setLdapHost("myhost");
> > > connectionConfig.setLdapPort(636);
> > > connectionConfig.setName("cn=Manager,dc=example,dc=com");
> > > connectionConfig.setCredentials("mypass");
> > > connectionConfig.setUseSsl(true);
> > > connectionConfig.setSslProtocol("SSLv3");
>
add the below line here
connectionConfig.setTrustManagers(new NoVerificationTrustManager()); // add
the appropriate import
> > > conn = new LdapNetworkConnection(connectionConfig);
> > >
> > > conn.connect();
> > > conn.bind();
> > >
> > > }
> > > }
> > >
> > > I also tried the following code using tls and trustmanagers but this
> time
> > > it gives me a Protocol error
> > >
>
the same fix(mentioned above) will work here, and also for TLS you _should_
use the non-SSL port
> > > org.apache.directory.api.ldap.model.exception.LdapOperationException:
> > > PROTOCOL_ERROR: The server will disconnect!
> > > at
> > >
> >
> org.apache.directory.ldap.client.api.LdapNetworkConnection.startTls(LdapNetworkConnection.java:3678)
> > >
> > > public static void initConnection() throws LdapException, IOException {
> > >
> > >
> > > if (conn == null) {
> > > LdapConnectionConfig connectionConfig = new
> > > LdapConnectionConfig();
> > >
> > > try {
> > >
> > > FileInputStream fis = new
> FileInputStream("server.jks");
> > >
> > > TrustManagerFactory tmf =
> > >
> >
> TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
> > >
> > > KeyStore keyStore =
> > > KeyStore.getInstance(KeyStore.getDefaultType());
> > >
> > > char[] password = new
> String("myCertPass").toCharArray();
> > >
> > > keyStore.load(fis, password);
> > >
> > > tmf.init(keyStore);
> > >
> > >
> > connectionConfig.setTrustManagers(tmf.getTrustManagers());
> > >
> > > } catch (NoSuchAlgorithmException ex) {
> > > ex.printStackTrace(System.out);
> > > } catch (KeyStoreException ex) {
> > > ex.printStackTrace(System.out);
> > > } catch (CertificateException ex) {
> > > ex.printStackTrace(System.out);
> > > }
> > >
> > > connectionConfig.setLdapHost("myhost");
> > > connectionConfig.setLdapPort(636);
> > > connectionConfig.setName("cn=Manager,dc=example,dc=com");
> > > connectionConfig.setCredentials("mypass");
> > > connectionConfig.setSslProtocol("SSLv3");
> > > connectionConfig.setUseTls(true);
> > > conn = new LdapNetworkConnection(connectionConfig);
> > > conn.connect();
> > > conn.startTls();
> > >
> > > }
> > >
> > > }
> > >
> > >
> > > Thanks in advance
> > >
> > > Flavio
> > >
> > >
> > > On Mon, Mar 17, 2014 at 7:33 PM, Kiran Ayyagari <kayyagari@apache.org
> > >wrote:
> > >
> > >> On Tue, Mar 18, 2014 at 6:36 AM, Flavio Mattos <
> > flaviomattos86@gmail.com
> > >> >wrote:
> > >>
> > >> > Hi guys..
> > >> >
> > >> > I have been trying to connect to an open ldap server using ssl/ldaps
> > >> > I can connect to that server using apache studio(via ldaps) and I
> > would
> > >> > like to connect to the same server using the apache api.
> > >> >
> > >> > This is the code... One detail is that I generated the key in the
> > server
> > >> > using openssl
> > >> >
> > >> >
> > >> > Then I have done some research and some people say that I need to
> > >> generate
> > >> > a key in the java pattern.. so then I generated a PKCS #12 key
> store
> > >> using
> > >> > something like
> > >> >
> > >> > you don't need to do this unless you want your client to be verified
> > >> with
> > >> the server
> > >>
> > >> > openssl pkcs12 -export -in cert.pem -inkey key.pem > server.p12
> > >> > and then
> > >> > keytool -importkeystore -srckeystore server.p12 -destkeystore
> > server.jks
> > >> > -srcstoretype pkcs12
> > >> >
> > >> >
> > >> > I have attached the stacktrace..
> > >> > The exception happens in the bind method
> > >> >
> > >> > public static void initConnection() throws LdapException,
> IOException
> > {
> > >> >
> > >> > LdapConnection conn ...
> > >> >
> > >> > if (conn == null) {
> > >> > LdapConnectionConfig connectionConfig = new
> > >> > LdapConnectionConfig();
> > >> > KeyManagerFactory keyManagerFactory = null;
> > >> > try {
> > >> >
> > >> > FileInputStream fis = new
> > FileInputStream("server.jks");
> > >> >
> > >> >
> > >> > keyManagerFactory =
> > >> > KeyManagerFactory.getInstance("SunX509");
> > >> > KeyStore keyStore =
> > >> > KeyStore.getInstance(KeyStore.getDefaultType());
> > >> > char[] password = new
> > String("mykeyPass").toCharArray();
> > >> >
> > >> > keyStore.load(fis, password);
> > >> >
> > >> > keyManagerFactory.init(keyStore, password);
> > >> >
> > >> > keyManagerFactory.getKeyManagers();
> > >> >
> > >> > connectionConfig.setKeyManagers(keyManagerFactory.getKeyManagers());
> > >> >
> > >> > } catch (NoSuchAlgorithmException ex) {
> > >> > ex.printStackTrace(System.out);
> > >> > } catch (KeyStoreException ex) {
> > >> > ex.printStackTrace(System.out);
> > >> > } catch (UnrecoverableKeyException ex) {
> > >> > ex.printStackTrace(System.out);
> > >> > } catch (CertificateException ex) {
> > >> > ex.printStackTrace(System.out);
> > >> > }
> > >> >
> > >> >
> > >> just drop all the above KeyManager code and the client will work.
> > >>
> > >> > connectionConfig.setLdapHost("myhost");
> > >> > connectionConfig.setLdapPort(636);
> > >> >
> connectionConfig.setName("cn=Manager,dc=example,dc=com");
> > >> > connectionConfig.setCredentials("mypass");
> > >> > connectionConfig.setUseSsl(true);
> > >> > connectionConfig.setSslProtocol("SSLv3");
> > >> > conn = new LdapNetworkConnection(connectionConfig);
> > >> >
> > >> > conn.connect();
> > >> > conn.bind();
> > >> >
> > >> > }
> > >> >
> > >> > note that by default the client will trust any X509 certificate used
> > by
> > >> the server, if you want
> > >> to restrict it then a custom trust manager must be provided and set
> > using
> > >> connectionConfig.setTrustManagers()
> > >>
> > >> > Thanks
> > >> > Flavio
> > >> >
> > >>
> > >>
> > >>
> > >> --
> > >> Kiran Ayyagari
> > >> http://keydap.com
> > >>
> > >
> > >
> >
> >
> > --
> > Kiran Ayyagari
> > http://keydap.com
> >
>
--
Kiran Ayyagari
http://keydap.com
Re: LdapNetworkConnection - SSL handshake failed
Posted by Flavio Mattos <fl...@gmail.com>.
here it is.. it was attached with the last email as well...
Thanks
513 [NioProcessor-1] WARN
org.apache.directory.ldap.client.api.LdapNetworkConnection - SSL handshake
failed.
javax.net.ssl.SSLHandshakeException: SSL handshake failed.
at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:487)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:765)
at
org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:109)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:410)
at
org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:710)
at
org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:664)
at
org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:653)
at
org.apache.mina.core.polling.AbstractPollingIoProcessor.access$600(AbstractPollingIoProcessor.java:67)
at
org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:1124)
at
org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:724)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1362)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513)
at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1177)
at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1149)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
at org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:578)
at
org.apache.mina.filter.ssl.SslHandler.messageReceived(SslHandler.java:351)
at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:468)
... 15 more
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1683)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:278)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
at
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:808)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:806)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1299)
at org.apache.mina.filter.ssl.SslHandler.doTasks(SslHandler.java:759)
at org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:544)
... 17 more
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
at
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:283)
at
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:138)
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1328)
... 25 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
... 31 more
714 [main] ERROR org.apache.directory.ldap.client.api.LdapNetworkConnection
- Message failed : something wrong has occurred
org.apache.directory.ldap.client.api.exception.InvalidConnectionException:
SSL handshake failed.
at
org.apache.directory.ldap.client.api.LdapNetworkConnection.writeRequest(LdapNetworkConnection.java:3939)
at
org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1178)
at
org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1076)
at
org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:934)
at com.hyperwallet.ldap.connection.SandBox.main(SandBox.java:57)
On Tue, Mar 18, 2014 at 10:21 AM, Kiran Ayyagari <ka...@apache.org>wrote:
> On Tue, Mar 18, 2014 at 10:44 PM, Flavio Mattos <flaviomattos86@gmail.com
> >wrote:
>
> > Hi Kiran.. thank you for replying my message...
> >
> > I tried to do what you suggested and it did not work. I have attached the
> > stack trace.. it keeps giving me LdapNetworkConnection - SSL handshake
> > failed.
> >
> please post the stacktrace as well
>
> >
> > public static void initConnection() throws LdapException, IOException {
> > if (conn == null) {
> > LdapConnectionConfig connectionConfig = new
> > LdapConnectionConfig();
> > connectionConfig.setLdapHost("myhost");
> > connectionConfig.setLdapPort(636);
> > connectionConfig.setName("cn=Manager,dc=example,dc=com");
> > connectionConfig.setCredentials("mypass");
> > connectionConfig.setUseSsl(true);
> > connectionConfig.setSslProtocol("SSLv3");
> > conn = new LdapNetworkConnection(connectionConfig);
> >
> > conn.connect();
> > conn.bind();
> >
> > }
> > }
> >
> > I also tried the following code using tls and trustmanagers but this time
> > it gives me a Protocol error
> >
> > org.apache.directory.api.ldap.model.exception.LdapOperationException:
> > PROTOCOL_ERROR: The server will disconnect!
> > at
> >
> org.apache.directory.ldap.client.api.LdapNetworkConnection.startTls(LdapNetworkConnection.java:3678)
> >
> > public static void initConnection() throws LdapException, IOException {
> >
> >
> > if (conn == null) {
> > LdapConnectionConfig connectionConfig = new
> > LdapConnectionConfig();
> >
> > try {
> >
> > FileInputStream fis = new FileInputStream("server.jks");
> >
> > TrustManagerFactory tmf =
> >
> TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
> >
> > KeyStore keyStore =
> > KeyStore.getInstance(KeyStore.getDefaultType());
> >
> > char[] password = new String("myCertPass").toCharArray();
> >
> > keyStore.load(fis, password);
> >
> > tmf.init(keyStore);
> >
> >
> connectionConfig.setTrustManagers(tmf.getTrustManagers());
> >
> > } catch (NoSuchAlgorithmException ex) {
> > ex.printStackTrace(System.out);
> > } catch (KeyStoreException ex) {
> > ex.printStackTrace(System.out);
> > } catch (CertificateException ex) {
> > ex.printStackTrace(System.out);
> > }
> >
> > connectionConfig.setLdapHost("myhost");
> > connectionConfig.setLdapPort(636);
> > connectionConfig.setName("cn=Manager,dc=example,dc=com");
> > connectionConfig.setCredentials("mypass");
> > connectionConfig.setSslProtocol("SSLv3");
> > connectionConfig.setUseTls(true);
> > conn = new LdapNetworkConnection(connectionConfig);
> > conn.connect();
> > conn.startTls();
> >
> > }
> >
> > }
> >
> >
> > Thanks in advance
> >
> > Flavio
> >
> >
> > On Mon, Mar 17, 2014 at 7:33 PM, Kiran Ayyagari <kayyagari@apache.org
> >wrote:
> >
> >> On Tue, Mar 18, 2014 at 6:36 AM, Flavio Mattos <
> flaviomattos86@gmail.com
> >> >wrote:
> >>
> >> > Hi guys..
> >> >
> >> > I have been trying to connect to an open ldap server using ssl/ldaps
> >> > I can connect to that server using apache studio(via ldaps) and I
> would
> >> > like to connect to the same server using the apache api.
> >> >
> >> > This is the code... One detail is that I generated the key in the
> server
> >> > using openssl
> >> >
> >> >
> >> > Then I have done some research and some people say that I need to
> >> generate
> >> > a key in the java pattern.. so then I generated a PKCS #12 key store
> >> using
> >> > something like
> >> >
> >> > you don't need to do this unless you want your client to be verified
> >> with
> >> the server
> >>
> >> > openssl pkcs12 -export -in cert.pem -inkey key.pem > server.p12
> >> > and then
> >> > keytool -importkeystore -srckeystore server.p12 -destkeystore
> server.jks
> >> > -srcstoretype pkcs12
> >> >
> >> >
> >> > I have attached the stacktrace..
> >> > The exception happens in the bind method
> >> >
> >> > public static void initConnection() throws LdapException, IOException
> {
> >> >
> >> > LdapConnection conn ...
> >> >
> >> > if (conn == null) {
> >> > LdapConnectionConfig connectionConfig = new
> >> > LdapConnectionConfig();
> >> > KeyManagerFactory keyManagerFactory = null;
> >> > try {
> >> >
> >> > FileInputStream fis = new
> FileInputStream("server.jks");
> >> >
> >> >
> >> > keyManagerFactory =
> >> > KeyManagerFactory.getInstance("SunX509");
> >> > KeyStore keyStore =
> >> > KeyStore.getInstance(KeyStore.getDefaultType());
> >> > char[] password = new
> String("mykeyPass").toCharArray();
> >> >
> >> > keyStore.load(fis, password);
> >> >
> >> > keyManagerFactory.init(keyStore, password);
> >> >
> >> > keyManagerFactory.getKeyManagers();
> >> >
> >> > connectionConfig.setKeyManagers(keyManagerFactory.getKeyManagers());
> >> >
> >> > } catch (NoSuchAlgorithmException ex) {
> >> > ex.printStackTrace(System.out);
> >> > } catch (KeyStoreException ex) {
> >> > ex.printStackTrace(System.out);
> >> > } catch (UnrecoverableKeyException ex) {
> >> > ex.printStackTrace(System.out);
> >> > } catch (CertificateException ex) {
> >> > ex.printStackTrace(System.out);
> >> > }
> >> >
> >> >
> >> just drop all the above KeyManager code and the client will work.
> >>
> >> > connectionConfig.setLdapHost("myhost");
> >> > connectionConfig.setLdapPort(636);
> >> > connectionConfig.setName("cn=Manager,dc=example,dc=com");
> >> > connectionConfig.setCredentials("mypass");
> >> > connectionConfig.setUseSsl(true);
> >> > connectionConfig.setSslProtocol("SSLv3");
> >> > conn = new LdapNetworkConnection(connectionConfig);
> >> >
> >> > conn.connect();
> >> > conn.bind();
> >> >
> >> > }
> >> >
> >> > note that by default the client will trust any X509 certificate used
> by
> >> the server, if you want
> >> to restrict it then a custom trust manager must be provided and set
> using
> >> connectionConfig.setTrustManagers()
> >>
> >> > Thanks
> >> > Flavio
> >> >
> >>
> >>
> >>
> >> --
> >> Kiran Ayyagari
> >> http://keydap.com
> >>
> >
> >
>
>
> --
> Kiran Ayyagari
> http://keydap.com
>
Re: LdapNetworkConnection - SSL handshake failed
Posted by Kiran Ayyagari <ka...@apache.org>.
On Tue, Mar 18, 2014 at 10:44 PM, Flavio Mattos <fl...@gmail.com>wrote:
> Hi Kiran.. thank you for replying my message...
>
> I tried to do what you suggested and it did not work. I have attached the
> stack trace.. it keeps giving me LdapNetworkConnection - SSL handshake
> failed.
>
please post the stacktrace as well
>
> public static void initConnection() throws LdapException, IOException {
> if (conn == null) {
> LdapConnectionConfig connectionConfig = new
> LdapConnectionConfig();
> connectionConfig.setLdapHost("myhost");
> connectionConfig.setLdapPort(636);
> connectionConfig.setName("cn=Manager,dc=example,dc=com");
> connectionConfig.setCredentials("mypass");
> connectionConfig.setUseSsl(true);
> connectionConfig.setSslProtocol("SSLv3");
> conn = new LdapNetworkConnection(connectionConfig);
>
> conn.connect();
> conn.bind();
>
> }
> }
>
> I also tried the following code using tls and trustmanagers but this time
> it gives me a Protocol error
>
> org.apache.directory.api.ldap.model.exception.LdapOperationException:
> PROTOCOL_ERROR: The server will disconnect!
> at
> org.apache.directory.ldap.client.api.LdapNetworkConnection.startTls(LdapNetworkConnection.java:3678)
>
> public static void initConnection() throws LdapException, IOException {
>
>
> if (conn == null) {
> LdapConnectionConfig connectionConfig = new
> LdapConnectionConfig();
>
> try {
>
> FileInputStream fis = new FileInputStream("server.jks");
>
> TrustManagerFactory tmf =
> TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
>
> KeyStore keyStore =
> KeyStore.getInstance(KeyStore.getDefaultType());
>
> char[] password = new String("myCertPass").toCharArray();
>
> keyStore.load(fis, password);
>
> tmf.init(keyStore);
>
> connectionConfig.setTrustManagers(tmf.getTrustManagers());
>
> } catch (NoSuchAlgorithmException ex) {
> ex.printStackTrace(System.out);
> } catch (KeyStoreException ex) {
> ex.printStackTrace(System.out);
> } catch (CertificateException ex) {
> ex.printStackTrace(System.out);
> }
>
> connectionConfig.setLdapHost("myhost");
> connectionConfig.setLdapPort(636);
> connectionConfig.setName("cn=Manager,dc=example,dc=com");
> connectionConfig.setCredentials("mypass");
> connectionConfig.setSslProtocol("SSLv3");
> connectionConfig.setUseTls(true);
> conn = new LdapNetworkConnection(connectionConfig);
> conn.connect();
> conn.startTls();
>
> }
>
> }
>
>
> Thanks in advance
>
> Flavio
>
>
> On Mon, Mar 17, 2014 at 7:33 PM, Kiran Ayyagari <ka...@apache.org>wrote:
>
>> On Tue, Mar 18, 2014 at 6:36 AM, Flavio Mattos <flaviomattos86@gmail.com
>> >wrote:
>>
>> > Hi guys..
>> >
>> > I have been trying to connect to an open ldap server using ssl/ldaps
>> > I can connect to that server using apache studio(via ldaps) and I would
>> > like to connect to the same server using the apache api.
>> >
>> > This is the code... One detail is that I generated the key in the server
>> > using openssl
>> >
>> >
>> > Then I have done some research and some people say that I need to
>> generate
>> > a key in the java pattern.. so then I generated a PKCS #12 key store
>> using
>> > something like
>> >
>> > you don't need to do this unless you want your client to be verified
>> with
>> the server
>>
>> > openssl pkcs12 -export -in cert.pem -inkey key.pem > server.p12
>> > and then
>> > keytool -importkeystore -srckeystore server.p12 -destkeystore server.jks
>> > -srcstoretype pkcs12
>> >
>> >
>> > I have attached the stacktrace..
>> > The exception happens in the bind method
>> >
>> > public static void initConnection() throws LdapException, IOException {
>> >
>> > LdapConnection conn ...
>> >
>> > if (conn == null) {
>> > LdapConnectionConfig connectionConfig = new
>> > LdapConnectionConfig();
>> > KeyManagerFactory keyManagerFactory = null;
>> > try {
>> >
>> > FileInputStream fis = new FileInputStream("server.jks");
>> >
>> >
>> > keyManagerFactory =
>> > KeyManagerFactory.getInstance("SunX509");
>> > KeyStore keyStore =
>> > KeyStore.getInstance(KeyStore.getDefaultType());
>> > char[] password = new String("mykeyPass").toCharArray();
>> >
>> > keyStore.load(fis, password);
>> >
>> > keyManagerFactory.init(keyStore, password);
>> >
>> > keyManagerFactory.getKeyManagers();
>> >
>> > connectionConfig.setKeyManagers(keyManagerFactory.getKeyManagers());
>> >
>> > } catch (NoSuchAlgorithmException ex) {
>> > ex.printStackTrace(System.out);
>> > } catch (KeyStoreException ex) {
>> > ex.printStackTrace(System.out);
>> > } catch (UnrecoverableKeyException ex) {
>> > ex.printStackTrace(System.out);
>> > } catch (CertificateException ex) {
>> > ex.printStackTrace(System.out);
>> > }
>> >
>> >
>> just drop all the above KeyManager code and the client will work.
>>
>> > connectionConfig.setLdapHost("myhost");
>> > connectionConfig.setLdapPort(636);
>> > connectionConfig.setName("cn=Manager,dc=example,dc=com");
>> > connectionConfig.setCredentials("mypass");
>> > connectionConfig.setUseSsl(true);
>> > connectionConfig.setSslProtocol("SSLv3");
>> > conn = new LdapNetworkConnection(connectionConfig);
>> >
>> > conn.connect();
>> > conn.bind();
>> >
>> > }
>> >
>> > note that by default the client will trust any X509 certificate used by
>> the server, if you want
>> to restrict it then a custom trust manager must be provided and set using
>> connectionConfig.setTrustManagers()
>>
>> > Thanks
>> > Flavio
>> >
>>
>>
>>
>> --
>> Kiran Ayyagari
>> http://keydap.com
>>
>
>
--
Kiran Ayyagari
http://keydap.com
Re: LdapNetworkConnection - SSL handshake failed
Posted by Flavio Mattos <fl...@gmail.com>.
Hi Kiran.. thank you for replying my message...
I tried to do what you suggested and it did not work. I have attached the
stack trace.. it keeps giving me LdapNetworkConnection - SSL handshake
failed.
public static void initConnection() throws LdapException, IOException {
if (conn == null) {
LdapConnectionConfig connectionConfig = new
LdapConnectionConfig();
connectionConfig.setLdapHost("myhost");
connectionConfig.setLdapPort(636);
connectionConfig.setName("cn=Manager,dc=example,dc=com");
connectionConfig.setCredentials("mypass");
connectionConfig.setUseSsl(true);
connectionConfig.setSslProtocol("SSLv3");
conn = new LdapNetworkConnection(connectionConfig);
conn.connect();
conn.bind();
}
}
I also tried the following code using tls and trustmanagers but this time
it gives me a Protocol error
org.apache.directory.api.ldap.model.exception.LdapOperationException:
PROTOCOL_ERROR: The server will disconnect!
at
org.apache.directory.ldap.client.api.LdapNetworkConnection.startTls(LdapNetworkConnection.java:3678)
public static void initConnection() throws LdapException, IOException {
if (conn == null) {
LdapConnectionConfig connectionConfig = new
LdapConnectionConfig();
try {
FileInputStream fis = new FileInputStream("server.jks");
TrustManagerFactory tmf =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
KeyStore keyStore =
KeyStore.getInstance(KeyStore.getDefaultType());
char[] password = new String("myCertPass").toCharArray();
keyStore.load(fis, password);
tmf.init(keyStore);
connectionConfig.setTrustManagers(tmf.getTrustManagers());
} catch (NoSuchAlgorithmException ex) {
ex.printStackTrace(System.out);
} catch (KeyStoreException ex) {
ex.printStackTrace(System.out);
} catch (CertificateException ex) {
ex.printStackTrace(System.out);
}
connectionConfig.setLdapHost("myhost");
connectionConfig.setLdapPort(636);
connectionConfig.setName("cn=Manager,dc=example,dc=com");
connectionConfig.setCredentials("mypass");
connectionConfig.setSslProtocol("SSLv3");
connectionConfig.setUseTls(true);
conn = new LdapNetworkConnection(connectionConfig);
conn.connect();
conn.startTls();
}
}
Thanks in advance
Flavio
On Mon, Mar 17, 2014 at 7:33 PM, Kiran Ayyagari <ka...@apache.org>wrote:
> On Tue, Mar 18, 2014 at 6:36 AM, Flavio Mattos <flaviomattos86@gmail.com
> >wrote:
>
> > Hi guys..
> >
> > I have been trying to connect to an open ldap server using ssl/ldaps
> > I can connect to that server using apache studio(via ldaps) and I would
> > like to connect to the same server using the apache api.
> >
> > This is the code... One detail is that I generated the key in the server
> > using openssl
> >
> >
> > Then I have done some research and some people say that I need to
> generate
> > a key in the java pattern.. so then I generated a PKCS #12 key store
> using
> > something like
> >
> > you don't need to do this unless you want your client to be verified with
> the server
>
> > openssl pkcs12 -export -in cert.pem -inkey key.pem > server.p12
> > and then
> > keytool -importkeystore -srckeystore server.p12 -destkeystore server.jks
> > -srcstoretype pkcs12
> >
> >
> > I have attached the stacktrace..
> > The exception happens in the bind method
> >
> > public static void initConnection() throws LdapException, IOException {
> >
> > LdapConnection conn ...
> >
> > if (conn == null) {
> > LdapConnectionConfig connectionConfig = new
> > LdapConnectionConfig();
> > KeyManagerFactory keyManagerFactory = null;
> > try {
> >
> > FileInputStream fis = new FileInputStream("server.jks");
> >
> >
> > keyManagerFactory =
> > KeyManagerFactory.getInstance("SunX509");
> > KeyStore keyStore =
> > KeyStore.getInstance(KeyStore.getDefaultType());
> > char[] password = new String("mykeyPass").toCharArray();
> >
> > keyStore.load(fis, password);
> >
> > keyManagerFactory.init(keyStore, password);
> >
> > keyManagerFactory.getKeyManagers();
> >
> > connectionConfig.setKeyManagers(keyManagerFactory.getKeyManagers());
> >
> > } catch (NoSuchAlgorithmException ex) {
> > ex.printStackTrace(System.out);
> > } catch (KeyStoreException ex) {
> > ex.printStackTrace(System.out);
> > } catch (UnrecoverableKeyException ex) {
> > ex.printStackTrace(System.out);
> > } catch (CertificateException ex) {
> > ex.printStackTrace(System.out);
> > }
> >
> >
> just drop all the above KeyManager code and the client will work.
>
> > connectionConfig.setLdapHost("myhost");
> > connectionConfig.setLdapPort(636);
> > connectionConfig.setName("cn=Manager,dc=example,dc=com");
> > connectionConfig.setCredentials("mypass");
> > connectionConfig.setUseSsl(true);
> > connectionConfig.setSslProtocol("SSLv3");
> > conn = new LdapNetworkConnection(connectionConfig);
> >
> > conn.connect();
> > conn.bind();
> >
> > }
> >
> > note that by default the client will trust any X509 certificate used by
> the server, if you want
> to restrict it then a custom trust manager must be provided and set using
> connectionConfig.setTrustManagers()
>
> > Thanks
> > Flavio
> >
>
>
>
> --
> Kiran Ayyagari
> http://keydap.com
>