You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by Emmanuel Quevillon <em...@omictools.com> on 2018/10/24 14:49:19 UTC

Not sure SSL/TLS is working properly

Hi,

I've freshly installed ApacheDirectory (AD) (2.0.0.AM25) on a debian server (9.5) and all installed nicely.
As recommanded into the documentation, I've changed the admin user password. I did it using ApacheDirectory Studio (ADS) installed
on my mac.

So using ADS, I can connect nicely to AD using port 10389 (configured) using no encrypted connection.
I've then decided to activate (and test) ldaps and tls as recommanded in the documentation.
I've created my own keystore file to be loaded on the server under /opt/apacheds-2.0.0.AM25/conf directory
and set this into ADS. The keystore file is valid for 10 years

I've been able to create 2 new connection with ADS, one ldpas using port 10636 and one using TLS on port 10389
all of them connecting with admin user. All seem ok as I can open the connection using ADS to the remote server
and can navigate on LDAP tree.

Where my problem is, is that when I try to connect using ldapsearch on the command line, I cannot connect to the remote
server :(

So my first question is, are my ADS secured connections really secured??

The other question is, could someone light my lantern on such error thrown in the apacheDS logs:

[16:40:33] WARN [org.apache.directory.server.ldap.LdapProtocolHandler] - Unexpected exception forcing session to close: sending disconnect notice to client.
javax.net.ssl.SSLException: Unsupported record version Unknown-5.2
    at sun.security.ssl.InputRecord.checkRecordVersion(InputRecord.java:552)
    at sun.security.ssl.EngineInputRecord.bytesInCompletePacket(EngineInputRecord.java:113)
    at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:868)
    at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
...
[16:40:33] WARN [org.apache.directory.server.ldap.LdapProtocolHandler] - Unexpected exception forcing session to close: sending disconnect notice to client.
javax.net.ssl.SSLException: SSLEngine error during encrypt: CLOSED src: java.nio.HeapByteBuffer[pos=0 lim=81 cap=81]outNetBuffer: HeapBuffer[pos=31 lim=16921 cap=16921: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00...]
    at org.apache.mina.filter.ssl.SslHandler.encrypt(SslHandler.java:458)
    at org.apache.mina.filter.ssl.SslFilter.filterWrite(SslFilter.java:653)
    at org.apache.mina.core.filterchain.DefaultIoFilterChain.callPreviousFilterWrite(DefaultIoFilterChain.java:753)
    at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1500(DefaultIoFilterChain.java:49)
    at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.filterWrite(DefaultIoFilterChain.java:1159)
    at org.apache.mina.filter.codec.ProtocolCodecFilter.filterWrite(ProtocolCodecFilter.java:345)

What could cause Unknow-5.2 error?



and from ldapsearch command line utility:

$ ldapsearch -H ldap://host:10389  -D "uid=admin,ou=system" -b "uid=admin,ou=system" -w password -v -ZZ
ldap_initialize( ldap://host:10389/??base )
ldap_start_tls: Connect error (-11)
    additional info: (unknown error code)

in debug mode
...
ldap_msgfree
TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_err2string
ldap_start_tls: Connect error (-11)
    additional info: (unknown error code)
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
ldap_free_connection: actually freed
....

Looks like my certificate is revoked (should be valid until 2028)

Trying ldaps:

$ ldapsearch -H ldaps://host:10636  -D "uid=admin,ou=system" -b "uid=admin,ou=system" -v -x
ldap_initialize( ldaps://host:10636/??base )
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)


This certificate has been created as such:

$ keytool -genkey -keyalg "RSA"  -alias ldap -keystore ldap.ks  -validity 3650

I've of course answered the question asked during certificate creation.

Thanks in advance, since is three days I'm loosing my nerves

Regards

--
Emmanuel Quevillon
DevOps - omicX
https://omicx.com | https://omictools.com