You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Ralf Hauser (JIRA)" <di...@incubator.apache.org> on 2006/06/07 13:59:29 UTC
[jira] Created: (DIR-185) ldaps not working with gpg
ldaps not working with gpg
--------------------------
Key: DIR-185
URL: http://issues.apache.org/jira/browse/DIR-185
Project: Directory
Type: Bug
Components: miscellaneous
Environment: cygwin gpg (GnuPG) 1.4.1
Reporter: Ralf Hauser
Assigned to: Alex Karasulu
when doing
myPc> gpg --keyserver ldaps://localhost:2636 --search micky -v
gpg: searching for "micky -v" from ldaps server localhost
gpgkeys: unable to retrieve LDAP base: Can't contact LDAP server
gpg: key "micky -v" not found on keyserver
gpg: keyserver internal error
gpg: keyserver search failed: keyserver error
on the server-side, I see
<<7594 [IoThreadPool-1] INFO org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler - [/127.0.0.1:1808] OPENED
8016 [IoThreadPool-1] INFO org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler - [/127.0.0.1:1808] CLOSED
8016 [IoThreadPool-1] ERROR org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler - [/127.0.0.1:1808] EXCEPTION:
javax.net.ssl.SSLHandshakeException: Initial SSL handshake failed.
at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:422)
at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:494)
at org.apache.mina.common.support.AbstractIoFilterChain.access$1000(AbstractIoFilterChain.java:52)
at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:761)
at org.apache.mina.filter.ThreadPoolFilter.processEvent(ThreadPoolFilter.java:665)
at org.apache.mina.filter.ThreadPoolFilter$Worker.processEvents(ThreadPoolFilter.java:421)
at org.apache.mina.filter.ThreadPoolFilter$Worker.run(ThreadPoolFilter.java:376)
Caused by: javax.net.ssl.SSLException: Received fatal alert: unknown_ca
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:166)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1352)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1320)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1482)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:957)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:782)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:674)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:566)
at org.apache.mina.filter.support.SSLHandler.unwrapHandshake(SSLHandler.java:675)
at org.apache.mina.filter.support.SSLHandler.handshake(SSLHandler.java:492)
at org.apache.mina.filter.support.SSLHandler.messageReceived(SSLHandler.java:291)
at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:390)
... 6 more>>
it would be great to know what ca gpg is presenting or what other measures would make this work...
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (DIR-185) ldaps not working with gpg
Posted by "Ralf Hauser (JIRA)" <di...@incubator.apache.org>.
[ http://issues.apache.org/jira/browse/DIR-185?page=comments#action_12416074 ]
Ralf Hauser commented on DIR-185:
---------------------------------
how about amending the error message passed through
at org.apache.mina.filter.support.SSLHandler.unwrapHandshake(SSLHandler.java:675)
with a hint that one might have to consider loosening the policies in ~/.ldaprc on the client side?
> ldaps not working with gpg
> --------------------------
>
> Key: DIR-185
> URL: http://issues.apache.org/jira/browse/DIR-185
> Project: Directory
> Type: Bug
> Components: miscellaneous
> Environment: cygwin gpg (GnuPG) 1.4.1
> Reporter: Ralf Hauser
> Assignee: Alex Karasulu
>
> when doing
> myPc> gpg --keyserver ldaps://localhost:2636 --search micky -v
> gpg: searching for "micky -v" from ldaps server localhost
> gpgkeys: unable to retrieve LDAP base: Can't contact LDAP server
> gpg: key "micky -v" not found on keyserver
> gpg: keyserver internal error
> gpg: keyserver search failed: keyserver error
> on the server-side, I see
> <<7594 [IoThreadPool-1] INFO org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler - [/127.0.0.1:1808] OPENED
> 8016 [IoThreadPool-1] INFO org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler - [/127.0.0.1:1808] CLOSED
> 8016 [IoThreadPool-1] ERROR org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler - [/127.0.0.1:1808] EXCEPTION:
> javax.net.ssl.SSLHandshakeException: Initial SSL handshake failed.
> at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:422)
> at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:494)
> at org.apache.mina.common.support.AbstractIoFilterChain.access$1000(AbstractIoFilterChain.java:52)
> at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:761)
> at org.apache.mina.filter.ThreadPoolFilter.processEvent(ThreadPoolFilter.java:665)
> at org.apache.mina.filter.ThreadPoolFilter$Worker.processEvents(ThreadPoolFilter.java:421)
> at org.apache.mina.filter.ThreadPoolFilter$Worker.run(ThreadPoolFilter.java:376)
> Caused by: javax.net.ssl.SSLException: Received fatal alert: unknown_ca
> at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:166)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1352)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1320)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1482)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:957)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:782)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:674)
> at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:566)
> at org.apache.mina.filter.support.SSLHandler.unwrapHandshake(SSLHandler.java:675)
> at org.apache.mina.filter.support.SSLHandler.handshake(SSLHandler.java:492)
> at org.apache.mina.filter.support.SSLHandler.messageReceived(SSLHandler.java:291)
> at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:390)
> ... 6 more>>
> it would be great to know what ca gpg is presenting or what other measures would make this work...
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (DIR-185) ldaps not working with gpg
Posted by "Ralf Hauser (JIRA)" <di...@incubator.apache.org>.
[ http://issues.apache.org/jira/browse/DIR-185?page=comments#action_12416073 ]
Ralf Hauser commented on DIR-185:
---------------------------------
Thanks, similar effect with "ldapsearch" (even under cygwin):
<<Ralf Hauser@Acer:~> ldapsearch -v -H ldaps://localhost:2636 -d5 -D "dn=micky" -w mouse -b "ou=PgpKeys,ou=domain" pgpuserid='test*'
ldap_initialize( ldaps://localhost:2636 )
ldap_create
ldap_url_parse_ext(ldaps://localhost:2636)
ldap_pvt_sasl_getmech
ldap_search
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:2636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:2636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 18, subject: /DC=com/DC=domain/emailAddress=vlatkogj@domain.com.mk, issuer: /DC=com/DC=netcetera/emailAddress=vlatkogj@domain.com.mk
TLS certificate verification: Error, self signed certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed>>
just adding
TLS_REQCERT never
was enough.
You could get the cert with
openssl s_client -connect localhost:2636
---------------
Ralf Hauser@Acer_Ralf:~> gpg.1.4.2.1 --keyserver ldaps://localhost:2636 --keyserver-options 'binddn=\"micky"' --keyserver-options bindpw=mouse --search Test
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: searching for "Test" from ldaps server localhost
gpgkeys: unable to retrieve LDAP base: Can't contact LDAP server
gpg: key "Test" not found on keyserver
gpg: keyserver internal error
gpg: keyserver search failed: keyserver error
so cygwin's gpg.1.4.2.1 and window's gpg.1.4.3 unfortunately don't appear to honour ~/.ldaprc
> ldaps not working with gpg
> --------------------------
>
> Key: DIR-185
> URL: http://issues.apache.org/jira/browse/DIR-185
> Project: Directory
> Type: Bug
> Components: miscellaneous
> Environment: cygwin gpg (GnuPG) 1.4.1
> Reporter: Ralf Hauser
> Assignee: Alex Karasulu
>
> when doing
> myPc> gpg --keyserver ldaps://localhost:2636 --search micky -v
> gpg: searching for "micky -v" from ldaps server localhost
> gpgkeys: unable to retrieve LDAP base: Can't contact LDAP server
> gpg: key "micky -v" not found on keyserver
> gpg: keyserver internal error
> gpg: keyserver search failed: keyserver error
> on the server-side, I see
> <<7594 [IoThreadPool-1] INFO org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler - [/127.0.0.1:1808] OPENED
> 8016 [IoThreadPool-1] INFO org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler - [/127.0.0.1:1808] CLOSED
> 8016 [IoThreadPool-1] ERROR org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler - [/127.0.0.1:1808] EXCEPTION:
> javax.net.ssl.SSLHandshakeException: Initial SSL handshake failed.
> at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:422)
> at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:494)
> at org.apache.mina.common.support.AbstractIoFilterChain.access$1000(AbstractIoFilterChain.java:52)
> at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:761)
> at org.apache.mina.filter.ThreadPoolFilter.processEvent(ThreadPoolFilter.java:665)
> at org.apache.mina.filter.ThreadPoolFilter$Worker.processEvents(ThreadPoolFilter.java:421)
> at org.apache.mina.filter.ThreadPoolFilter$Worker.run(ThreadPoolFilter.java:376)
> Caused by: javax.net.ssl.SSLException: Received fatal alert: unknown_ca
> at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:166)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1352)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1320)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1482)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:957)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:782)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:674)
> at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:566)
> at org.apache.mina.filter.support.SSLHandler.unwrapHandshake(SSLHandler.java:675)
> at org.apache.mina.filter.support.SSLHandler.handshake(SSLHandler.java:492)
> at org.apache.mina.filter.support.SSLHandler.messageReceived(SSLHandler.java:291)
> at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:390)
> ... 6 more>>
> it would be great to know what ca gpg is presenting or what other measures would make this work...
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Closed: (DIR-185) ldaps not working with gpg
Posted by "Alex Karasulu (JIRA)" <di...@incubator.apache.org>.
[ http://issues.apache.org/jira/browse/DIR-185?page=all ]
Alex Karasulu closed DIR-185.
-----------------------------
Resolution: Fixed
Sounds like this has morphed into something other than the original issue which has been fixed.
> ldaps not working with gpg
> --------------------------
>
> Key: DIR-185
> URL: http://issues.apache.org/jira/browse/DIR-185
> Project: Directory
> Issue Type: Bug
> Components: miscellaneous
> Environment: cygwin gpg (GnuPG) 1.4.1
> Reporter: Ralf Hauser
> Assigned To: Alex Karasulu
>
> when doing
> myPc> gpg --keyserver ldaps://localhost:2636 --search micky -v
> gpg: searching for "micky -v" from ldaps server localhost
> gpgkeys: unable to retrieve LDAP base: Can't contact LDAP server
> gpg: key "micky -v" not found on keyserver
> gpg: keyserver internal error
> gpg: keyserver search failed: keyserver error
> on the server-side, I see
> <<7594 [IoThreadPool-1] INFO org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler - [/127.0.0.1:1808] OPENED
> 8016 [IoThreadPool-1] INFO org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler - [/127.0.0.1:1808] CLOSED
> 8016 [IoThreadPool-1] ERROR org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler - [/127.0.0.1:1808] EXCEPTION:
> javax.net.ssl.SSLHandshakeException: Initial SSL handshake failed.
> at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:422)
> at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:494)
> at org.apache.mina.common.support.AbstractIoFilterChain.access$1000(AbstractIoFilterChain.java:52)
> at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:761)
> at org.apache.mina.filter.ThreadPoolFilter.processEvent(ThreadPoolFilter.java:665)
> at org.apache.mina.filter.ThreadPoolFilter$Worker.processEvents(ThreadPoolFilter.java:421)
> at org.apache.mina.filter.ThreadPoolFilter$Worker.run(ThreadPoolFilter.java:376)
> Caused by: javax.net.ssl.SSLException: Received fatal alert: unknown_ca
> at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:166)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1352)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1320)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1482)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:957)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:782)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:674)
> at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:566)
> at org.apache.mina.filter.support.SSLHandler.unwrapHandshake(SSLHandler.java:675)
> at org.apache.mina.filter.support.SSLHandler.handshake(SSLHandler.java:492)
> at org.apache.mina.filter.support.SSLHandler.messageReceived(SSLHandler.java:291)
> at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:390)
> ... 6 more>>
> it would be great to know what ca gpg is presenting or what other measures would make this work...
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (DIR-185) ldaps not working with gpg
Posted by "Joe Ammann (JIRA)" <di...@incubator.apache.org>.
[ http://issues.apache.org/jira/browse/DIR-185?page=comments#action_12416034 ]
Joe Ammann commented on DIR-185:
--------------------------------
If gpg is based on OpenLDAP, you might have to reduce the LDAP connection security checks that are applied by default. To lower the checks performance by OpenLDAP library, you can set properties in $HOME/.ldaprc
TLS_CACERT /path/to/cacert.pem
TLS_REQCERT never
ldap.conf(5) has more detailed descriptions of the options. I tested this with the GQ client, and setting the appropriate options allowed me to connect with a LDAPS server with a self signed certiticate
> ldaps not working with gpg
> --------------------------
>
> Key: DIR-185
> URL: http://issues.apache.org/jira/browse/DIR-185
> Project: Directory
> Type: Bug
> Components: miscellaneous
> Environment: cygwin gpg (GnuPG) 1.4.1
> Reporter: Ralf Hauser
> Assignee: Alex Karasulu
>
> when doing
> myPc> gpg --keyserver ldaps://localhost:2636 --search micky -v
> gpg: searching for "micky -v" from ldaps server localhost
> gpgkeys: unable to retrieve LDAP base: Can't contact LDAP server
> gpg: key "micky -v" not found on keyserver
> gpg: keyserver internal error
> gpg: keyserver search failed: keyserver error
> on the server-side, I see
> <<7594 [IoThreadPool-1] INFO org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler - [/127.0.0.1:1808] OPENED
> 8016 [IoThreadPool-1] INFO org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler - [/127.0.0.1:1808] CLOSED
> 8016 [IoThreadPool-1] ERROR org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler - [/127.0.0.1:1808] EXCEPTION:
> javax.net.ssl.SSLHandshakeException: Initial SSL handshake failed.
> at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:422)
> at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:494)
> at org.apache.mina.common.support.AbstractIoFilterChain.access$1000(AbstractIoFilterChain.java:52)
> at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:761)
> at org.apache.mina.filter.ThreadPoolFilter.processEvent(ThreadPoolFilter.java:665)
> at org.apache.mina.filter.ThreadPoolFilter$Worker.processEvents(ThreadPoolFilter.java:421)
> at org.apache.mina.filter.ThreadPoolFilter$Worker.run(ThreadPoolFilter.java:376)
> Caused by: javax.net.ssl.SSLException: Received fatal alert: unknown_ca
> at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:166)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1352)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1320)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1482)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:957)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:782)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:674)
> at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:566)
> at org.apache.mina.filter.support.SSLHandler.unwrapHandshake(SSLHandler.java:675)
> at org.apache.mina.filter.support.SSLHandler.handshake(SSLHandler.java:492)
> at org.apache.mina.filter.support.SSLHandler.messageReceived(SSLHandler.java:291)
> at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:390)
> ... 6 more>>
> it would be great to know what ca gpg is presenting or what other measures would make this work...
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (DIR-185) ldaps not working with gpg
Posted by "Ralf Hauser (JIRA)" <di...@incubator.apache.org>.
[ http://issues.apache.org/jira/browse/DIR-185?page=comments#action_12416330 ]
Ralf Hauser commented on DIR-185:
---------------------------------
gnupg appears just to be adding the needed parameters on its own:
- keyserver-options ca-cert-file=/path/to/cacert.pem
- keyserver-options no-check-cert
see http://lists.gnupg.org/pipermail/gnupg-users/2006-June/028874.html
> ldaps not working with gpg
> --------------------------
>
> Key: DIR-185
> URL: http://issues.apache.org/jira/browse/DIR-185
> Project: Directory
> Type: Bug
> Components: miscellaneous
> Environment: cygwin gpg (GnuPG) 1.4.1
> Reporter: Ralf Hauser
> Assignee: Alex Karasulu
>
> when doing
> myPc> gpg --keyserver ldaps://localhost:2636 --search micky -v
> gpg: searching for "micky -v" from ldaps server localhost
> gpgkeys: unable to retrieve LDAP base: Can't contact LDAP server
> gpg: key "micky -v" not found on keyserver
> gpg: keyserver internal error
> gpg: keyserver search failed: keyserver error
> on the server-side, I see
> <<7594 [IoThreadPool-1] INFO org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler - [/127.0.0.1:1808] OPENED
> 8016 [IoThreadPool-1] INFO org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler - [/127.0.0.1:1808] CLOSED
> 8016 [IoThreadPool-1] ERROR org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler - [/127.0.0.1:1808] EXCEPTION:
> javax.net.ssl.SSLHandshakeException: Initial SSL handshake failed.
> at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:422)
> at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:494)
> at org.apache.mina.common.support.AbstractIoFilterChain.access$1000(AbstractIoFilterChain.java:52)
> at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:761)
> at org.apache.mina.filter.ThreadPoolFilter.processEvent(ThreadPoolFilter.java:665)
> at org.apache.mina.filter.ThreadPoolFilter$Worker.processEvents(ThreadPoolFilter.java:421)
> at org.apache.mina.filter.ThreadPoolFilter$Worker.run(ThreadPoolFilter.java:376)
> Caused by: javax.net.ssl.SSLException: Received fatal alert: unknown_ca
> at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:166)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1352)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1320)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1482)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:957)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:782)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:674)
> at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:566)
> at org.apache.mina.filter.support.SSLHandler.unwrapHandshake(SSLHandler.java:675)
> at org.apache.mina.filter.support.SSLHandler.handshake(SSLHandler.java:492)
> at org.apache.mina.filter.support.SSLHandler.messageReceived(SSLHandler.java:291)
> at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:390)
> ... 6 more>>
> it would be great to know what ca gpg is presenting or what other measures would make this work...
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (DIR-185) ldaps not working with gpg
Posted by "Emmanuel Lecharny (JIRA)" <di...@incubator.apache.org>.
[ http://issues.apache.org/jira/browse/DIR-185?page=comments#action_12419851 ]
Emmanuel Lecharny commented on DIR-185:
---------------------------------------
It seems a little bit cumbersome, but if the problem is solved, except the three points (exception handling, better message and better documentation), is it possible to fill a JIRA for those points ?
Just in case we close the error, we will at least have some other related opened JIRA to deal with :)
Then we will be able to mark this JIRA as closed.
Thanks !
> ldaps not working with gpg
> --------------------------
>
> Key: DIR-185
> URL: http://issues.apache.org/jira/browse/DIR-185
> Project: Directory
> Type: Bug
> Components: miscellaneous
> Environment: cygwin gpg (GnuPG) 1.4.1
> Reporter: Ralf Hauser
> Assignee: Alex Karasulu
>
> when doing
> myPc> gpg --keyserver ldaps://localhost:2636 --search micky -v
> gpg: searching for "micky -v" from ldaps server localhost
> gpgkeys: unable to retrieve LDAP base: Can't contact LDAP server
> gpg: key "micky -v" not found on keyserver
> gpg: keyserver internal error
> gpg: keyserver search failed: keyserver error
> on the server-side, I see
> <<7594 [IoThreadPool-1] INFO org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler - [/127.0.0.1:1808] OPENED
> 8016 [IoThreadPool-1] INFO org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler - [/127.0.0.1:1808] CLOSED
> 8016 [IoThreadPool-1] ERROR org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler - [/127.0.0.1:1808] EXCEPTION:
> javax.net.ssl.SSLHandshakeException: Initial SSL handshake failed.
> at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:422)
> at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:494)
> at org.apache.mina.common.support.AbstractIoFilterChain.access$1000(AbstractIoFilterChain.java:52)
> at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:761)
> at org.apache.mina.filter.ThreadPoolFilter.processEvent(ThreadPoolFilter.java:665)
> at org.apache.mina.filter.ThreadPoolFilter$Worker.processEvents(ThreadPoolFilter.java:421)
> at org.apache.mina.filter.ThreadPoolFilter$Worker.run(ThreadPoolFilter.java:376)
> Caused by: javax.net.ssl.SSLException: Received fatal alert: unknown_ca
> at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:166)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1352)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1320)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1482)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:957)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:782)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:674)
> at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:566)
> at org.apache.mina.filter.support.SSLHandler.unwrapHandshake(SSLHandler.java:675)
> at org.apache.mina.filter.support.SSLHandler.handshake(SSLHandler.java:492)
> at org.apache.mina.filter.support.SSLHandler.messageReceived(SSLHandler.java:291)
> at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:390)
> ... 6 more>>
> it would be great to know what ca gpg is presenting or what other measures would make this work...
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (DIR-185) ldaps not working with gpg
Posted by "Ralf Hauser (JIRA)" <di...@incubator.apache.org>.
[ http://issues.apache.org/jira/browse/DIR-185?page=comments#action_12416333 ]
Ralf Hauser commented on DIR-185:
---------------------------------
apart from
1) catching the SSLHandshakeException in org.apache.mina.filter.support.SSLHandler.unwrapHandshake and amending its message with some hints for the .ldaprc and the gpg option before re-throwing, and
2) amending the docu in http://directory.apache.org/subprojects/apacheds/docs/users/configuration.html correspondingly
I guess this issue can be closed as "WORKSFORME"
> ldaps not working with gpg
> --------------------------
>
> Key: DIR-185
> URL: http://issues.apache.org/jira/browse/DIR-185
> Project: Directory
> Type: Bug
> Components: miscellaneous
> Environment: cygwin gpg (GnuPG) 1.4.1
> Reporter: Ralf Hauser
> Assignee: Alex Karasulu
>
> when doing
> myPc> gpg --keyserver ldaps://localhost:2636 --search micky -v
> gpg: searching for "micky -v" from ldaps server localhost
> gpgkeys: unable to retrieve LDAP base: Can't contact LDAP server
> gpg: key "micky -v" not found on keyserver
> gpg: keyserver internal error
> gpg: keyserver search failed: keyserver error
> on the server-side, I see
> <<7594 [IoThreadPool-1] INFO org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler - [/127.0.0.1:1808] OPENED
> 8016 [IoThreadPool-1] INFO org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler - [/127.0.0.1:1808] CLOSED
> 8016 [IoThreadPool-1] ERROR org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler - [/127.0.0.1:1808] EXCEPTION:
> javax.net.ssl.SSLHandshakeException: Initial SSL handshake failed.
> at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:422)
> at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:494)
> at org.apache.mina.common.support.AbstractIoFilterChain.access$1000(AbstractIoFilterChain.java:52)
> at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:761)
> at org.apache.mina.filter.ThreadPoolFilter.processEvent(ThreadPoolFilter.java:665)
> at org.apache.mina.filter.ThreadPoolFilter$Worker.processEvents(ThreadPoolFilter.java:421)
> at org.apache.mina.filter.ThreadPoolFilter$Worker.run(ThreadPoolFilter.java:376)
> Caused by: javax.net.ssl.SSLException: Received fatal alert: unknown_ca
> at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:166)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1352)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1320)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1482)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:957)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:782)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:674)
> at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:566)
> at org.apache.mina.filter.support.SSLHandler.unwrapHandshake(SSLHandler.java:675)
> at org.apache.mina.filter.support.SSLHandler.handshake(SSLHandler.java:492)
> at org.apache.mina.filter.support.SSLHandler.messageReceived(SSLHandler.java:291)
> at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:390)
> ... 6 more>>
> it would be great to know what ca gpg is presenting or what other measures would make this work...
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (DIR-185) ldaps not working with gpg
Posted by "Ralf Hauser (JIRA)" <di...@incubator.apache.org>.
[ http://issues.apache.org/jira/browse/DIR-185?page=comments#action_12415414 ]
Ralf Hauser commented on DIR-185:
---------------------------------
perhaps in sun's JSSE forum, there is more insight about this http://forum.java.sun.com/thread.jspa?threadID=743508
for the gpg part, http://lists.gnupg.org/pipermail/gnupg-users/2006-February/028058.html has helpful hints
> ldaps not working with gpg
> --------------------------
>
> Key: DIR-185
> URL: http://issues.apache.org/jira/browse/DIR-185
> Project: Directory
> Type: Bug
> Components: miscellaneous
> Environment: cygwin gpg (GnuPG) 1.4.1
> Reporter: Ralf Hauser
> Assignee: Alex Karasulu
>
> when doing
> myPc> gpg --keyserver ldaps://localhost:2636 --search micky -v
> gpg: searching for "micky -v" from ldaps server localhost
> gpgkeys: unable to retrieve LDAP base: Can't contact LDAP server
> gpg: key "micky -v" not found on keyserver
> gpg: keyserver internal error
> gpg: keyserver search failed: keyserver error
> on the server-side, I see
> <<7594 [IoThreadPool-1] INFO org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler - [/127.0.0.1:1808] OPENED
> 8016 [IoThreadPool-1] INFO org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler - [/127.0.0.1:1808] CLOSED
> 8016 [IoThreadPool-1] ERROR org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler - [/127.0.0.1:1808] EXCEPTION:
> javax.net.ssl.SSLHandshakeException: Initial SSL handshake failed.
> at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:422)
> at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:494)
> at org.apache.mina.common.support.AbstractIoFilterChain.access$1000(AbstractIoFilterChain.java:52)
> at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:761)
> at org.apache.mina.filter.ThreadPoolFilter.processEvent(ThreadPoolFilter.java:665)
> at org.apache.mina.filter.ThreadPoolFilter$Worker.processEvents(ThreadPoolFilter.java:421)
> at org.apache.mina.filter.ThreadPoolFilter$Worker.run(ThreadPoolFilter.java:376)
> Caused by: javax.net.ssl.SSLException: Received fatal alert: unknown_ca
> at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:166)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1352)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1320)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1482)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:957)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:782)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:674)
> at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:566)
> at org.apache.mina.filter.support.SSLHandler.unwrapHandshake(SSLHandler.java:675)
> at org.apache.mina.filter.support.SSLHandler.handshake(SSLHandler.java:492)
> at org.apache.mina.filter.support.SSLHandler.messageReceived(SSLHandler.java:291)
> at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:390)
> ... 6 more>>
> it would be great to know what ca gpg is presenting or what other measures would make this work...
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (DIR-185) ldaps not working with gpg
Posted by "Ralf Hauser (JIRA)" <di...@incubator.apache.org>.
[ http://issues.apache.org/jira/browse/DIR-185?page=comments#action_12415212 ]
Ralf Hauser commented on DIR-185:
---------------------------------
apparently the very newest gpg version may be a little bit more helpful to solve this on the ldap client side: http://lists.gnupg.org/pipermail/gnupg-users/2006-June/028801.html
> ldaps not working with gpg
> --------------------------
>
> Key: DIR-185
> URL: http://issues.apache.org/jira/browse/DIR-185
> Project: Directory
> Type: Bug
> Components: miscellaneous
> Environment: cygwin gpg (GnuPG) 1.4.1
> Reporter: Ralf Hauser
> Assignee: Alex Karasulu
>
> when doing
> myPc> gpg --keyserver ldaps://localhost:2636 --search micky -v
> gpg: searching for "micky -v" from ldaps server localhost
> gpgkeys: unable to retrieve LDAP base: Can't contact LDAP server
> gpg: key "micky -v" not found on keyserver
> gpg: keyserver internal error
> gpg: keyserver search failed: keyserver error
> on the server-side, I see
> <<7594 [IoThreadPool-1] INFO org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler - [/127.0.0.1:1808] OPENED
> 8016 [IoThreadPool-1] INFO org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler - [/127.0.0.1:1808] CLOSED
> 8016 [IoThreadPool-1] ERROR org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler - [/127.0.0.1:1808] EXCEPTION:
> javax.net.ssl.SSLHandshakeException: Initial SSL handshake failed.
> at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:422)
> at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:494)
> at org.apache.mina.common.support.AbstractIoFilterChain.access$1000(AbstractIoFilterChain.java:52)
> at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:761)
> at org.apache.mina.filter.ThreadPoolFilter.processEvent(ThreadPoolFilter.java:665)
> at org.apache.mina.filter.ThreadPoolFilter$Worker.processEvents(ThreadPoolFilter.java:421)
> at org.apache.mina.filter.ThreadPoolFilter$Worker.run(ThreadPoolFilter.java:376)
> Caused by: javax.net.ssl.SSLException: Received fatal alert: unknown_ca
> at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:166)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1352)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1320)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1482)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:957)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:782)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:674)
> at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:566)
> at org.apache.mina.filter.support.SSLHandler.unwrapHandshake(SSLHandler.java:675)
> at org.apache.mina.filter.support.SSLHandler.handshake(SSLHandler.java:492)
> at org.apache.mina.filter.support.SSLHandler.messageReceived(SSLHandler.java:291)
> at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:390)
> ... 6 more>>
> it would be great to know what ca gpg is presenting or what other measures would make this work...
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira