directory-api mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <kayyag...@apache.org>
Subject Re: LdapNetworkConnection - SSL handshake failed
Date Tue, 18 Mar 2014 17:30:13 GMT
On Tue, Mar 18, 2014 at 10:53 PM, Flavio Mattos <flaviomattos86@gmail.com>wrote:

> here it is.. it was attached with the last email as well...
>
> attachments get stripped by ASF mailer

> Thanks
>
> 513 [NioProcessor-1] WARN
> org.apache.directory.ldap.client.api.LdapNetworkConnection - SSL handshake
> failed.
> javax.net.ssl.SSLHandshakeException: SSL handshake failed.
> at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:487)
> at
>
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417)
>  at
>
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47)
> at
>
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:765)
>  at
>
> org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:109)
> at
>
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417)
>  at
>
> org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:410)
> at
>
> org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:710)
>  at
>
> org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:664)
> at
>
> org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:653)
>  at
>
> org.apache.mina.core.polling.AbstractPollingIoProcessor.access$600(AbstractPollingIoProcessor.java:67)
> at
>
> org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:1124)
>  at
>
> org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
> at
>
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>  at
>
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> at java.lang.Thread.run(Thread.java:724)
> Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
> at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1362)
> at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513)
>  at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1177)
> at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1149)
>  at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
> at org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:578)
>  at
> org.apache.mina.filter.ssl.SslHandler.messageReceived(SslHandler.java:351)
> at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:468)
>  ... 15 more
> Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>  at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1683)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:278)
>  at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
> at
>
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
>  at
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
>  at sun.security.ssl.Handshaker$1.run(Handshaker.java:808)
> at sun.security.ssl.Handshaker$1.run(Handshaker.java:806)
>  at java.security.AccessController.doPrivileged(Native Method)
> at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1299)
>  at org.apache.mina.filter.ssl.SslHandler.doTasks(SslHandler.java:759)
> at org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:544)
>  ... 17 more
> Caused by: sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
> to find valid certification path to requested target
>
this is happening due to the default TrustManager set by default in
LdapConnectionConfig

>  at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
> at
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
>  at sun.security.validator.Validator.validate(Validator.java:260)
> at
>
> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
>  at
>
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:283)
> at
>
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:138)
>  at
>
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1328)
> ... 25 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
>  at
>
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
>  at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
> ... 31 more
> 714 [main] ERROR org.apache.directory.ldap.client.api.LdapNetworkConnection
> - Message failed : something wrong has occurred
> org.apache.directory.ldap.client.api.exception.InvalidConnectionException:
> SSL handshake failed.
> at
>
> org.apache.directory.ldap.client.api.LdapNetworkConnection.writeRequest(LdapNetworkConnection.java:3939)
>  at
>
> org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1178)
> at
>
> org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1076)
>  at
>
> org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:934)
> at com.hyperwallet.ldap.connection.SandBox.main(SandBox.java:57)
>
>
>
>
> On Tue, Mar 18, 2014 at 10:21 AM, Kiran Ayyagari <kayyagari@apache.org
> >wrote:
>
> > On Tue, Mar 18, 2014 at 10:44 PM, Flavio Mattos <
> flaviomattos86@gmail.com
> > >wrote:
> >
> > > Hi Kiran.. thank you for replying my message...
> > >
> > > I tried to do what you suggested and it did not work. I have attached
> the
> > > stack trace.. it keeps giving me LdapNetworkConnection - SSL handshake
> > > failed.
> > >
> > please post the stacktrace as well
> >
> > >
> > > public static void initConnection() throws LdapException, IOException {
> > >      if (conn == null) {
> > >             LdapConnectionConfig connectionConfig = new
> > > LdapConnectionConfig();
> > >             connectionConfig.setLdapHost("myhost");
> > >             connectionConfig.setLdapPort(636);
> > >             connectionConfig.setName("cn=Manager,dc=example,dc=com");
> > >             connectionConfig.setCredentials("mypass");
> > >             connectionConfig.setUseSsl(true);
> > >             connectionConfig.setSslProtocol("SSLv3");
>
add the below line here
connectionConfig.setTrustManagers(new NoVerificationTrustManager()); // add
the appropriate import

> > >             conn = new LdapNetworkConnection(connectionConfig);
> > >
> > >             conn.connect();
> > >             conn.bind();
> > >
> > >         }
> > > }
> > >
> > > I also tried the following code using tls and trustmanagers but this
> time
> > > it gives me a Protocol error
> > >
>
the same fix(mentioned above) will work here, and also for TLS you _should_
use the non-SSL port

> > > org.apache.directory.api.ldap.model.exception.LdapOperationException:
> > > PROTOCOL_ERROR: The server will disconnect!
> > > at
> > >
> >
> org.apache.directory.ldap.client.api.LdapNetworkConnection.startTls(LdapNetworkConnection.java:3678)
> > >
> > > public static void initConnection() throws LdapException, IOException {
> > >
> > >
> > >         if (conn == null) {
> > >             LdapConnectionConfig connectionConfig = new
> > > LdapConnectionConfig();
> > >
> > >             try {
> > >
> > >                 FileInputStream fis = new
> FileInputStream("server.jks");
> > >
> > >                 TrustManagerFactory tmf =
> > >
> >
> TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
> > >
> > >                 KeyStore keyStore =
> > > KeyStore.getInstance(KeyStore.getDefaultType());
> > >
> > >                 char[] password = new
> String("myCertPass").toCharArray();
> > >
> > >                 keyStore.load(fis, password);
> > >
> > >                 tmf.init(keyStore);
> > >
> > >
> > connectionConfig.setTrustManagers(tmf.getTrustManagers());
> > >
> > >             } catch (NoSuchAlgorithmException ex) {
> > >                 ex.printStackTrace(System.out);
> > >             } catch (KeyStoreException ex) {
> > >                 ex.printStackTrace(System.out);
> > >             } catch (CertificateException ex) {
> > >                 ex.printStackTrace(System.out);
> > >             }
> > >
> > >             connectionConfig.setLdapHost("myhost");
> > >             connectionConfig.setLdapPort(636);
> > >             connectionConfig.setName("cn=Manager,dc=example,dc=com");
> > >             connectionConfig.setCredentials("mypass");
> > >             connectionConfig.setSslProtocol("SSLv3");
> > >             connectionConfig.setUseTls(true);
> > >             conn = new LdapNetworkConnection(connectionConfig);
> > >             conn.connect();
> > >             conn.startTls();
> > >
> > >         }
> > >
> > >     }
> > >
> > >
> > > Thanks in advance
> > >
> > > Flavio
> > >
> > >
> > > On Mon, Mar 17, 2014 at 7:33 PM, Kiran Ayyagari <kayyagari@apache.org
> > >wrote:
> > >
> > >> On Tue, Mar 18, 2014 at 6:36 AM, Flavio Mattos <
> > flaviomattos86@gmail.com
> > >> >wrote:
> > >>
> > >> > Hi guys..
> > >> >
> > >> > I have been trying to connect to an open ldap server using ssl/ldaps
> > >> > I can connect to that server using apache studio(via ldaps) and I
> > would
> > >> > like to connect to the same server using the apache api.
> > >> >
> > >> > This is the code... One detail is that I generated the key in the
> > server
> > >> > using openssl
> > >> >
> > >> >
> > >> > Then I have done some research and some people say that I need to
> > >> generate
> > >> > a key in the java pattern.. so  then I generated a PKCS #12 key
> store
> > >> using
> > >> > something like
> > >> >
> > >> > you don't need to do this unless you want your client to be verified
> > >> with
> > >> the server
> > >>
> > >> > openssl pkcs12 -export -in cert.pem -inkey key.pem > server.p12
> > >> > and then
> > >> > keytool -importkeystore -srckeystore server.p12 -destkeystore
> > server.jks
> > >> > -srcstoretype pkcs12
> > >> >
> > >> >
> > >> > I have attached the stacktrace..
> > >> > The exception happens in the bind method
> > >> >
> > >> > public static void initConnection() throws LdapException,
> IOException
> > {
> > >> >
> > >> > LdapConnection conn ...
> > >> >
> > >> >         if (conn == null) {
> > >> >             LdapConnectionConfig connectionConfig = new
> > >> > LdapConnectionConfig();
> > >> >             KeyManagerFactory keyManagerFactory = null;
> > >> >             try {
> > >> >
> > >> >                 FileInputStream fis = new
> > FileInputStream("server.jks");
> > >> >
> > >> >
> > >> >                 keyManagerFactory =
> > >> > KeyManagerFactory.getInstance("SunX509");
> > >> >                 KeyStore keyStore =
> > >> > KeyStore.getInstance(KeyStore.getDefaultType());
> > >> >                 char[] password = new
> > String("mykeyPass").toCharArray();
> > >> >
> > >> >                 keyStore.load(fis, password);
> > >> >
> > >> >                 keyManagerFactory.init(keyStore, password);
> > >> >
> > >> >                 keyManagerFactory.getKeyManagers();
> > >> >
> > >> > connectionConfig.setKeyManagers(keyManagerFactory.getKeyManagers());
> > >> >
> > >> >             } catch (NoSuchAlgorithmException ex) {
> > >> >                 ex.printStackTrace(System.out);
> > >> >             } catch (KeyStoreException ex) {
> > >> >                 ex.printStackTrace(System.out);
> > >> >             } catch (UnrecoverableKeyException ex) {
> > >> >                 ex.printStackTrace(System.out);
> > >> >             } catch (CertificateException ex) {
> > >> >                 ex.printStackTrace(System.out);
> > >> >             }
> > >> >
> > >> >
> > >> just drop all the above KeyManager code and the client will work.
> > >>
> > >> >             connectionConfig.setLdapHost("myhost");
> > >> >             connectionConfig.setLdapPort(636);
> > >> >
> connectionConfig.setName("cn=Manager,dc=example,dc=com");
> > >> >             connectionConfig.setCredentials("mypass");
> > >> >             connectionConfig.setUseSsl(true);
> > >> >             connectionConfig.setSslProtocol("SSLv3");
> > >> >             conn = new LdapNetworkConnection(connectionConfig);
> > >> >
> > >> >             conn.connect();
> > >> >     conn.bind();
> > >> >
> > >> >         }
> > >> >
> > >> > note that by default the client will trust any X509 certificate used
> > by
> > >> the server, if you want
> > >> to restrict it then a custom trust manager must be provided and set
> > using
> > >> connectionConfig.setTrustManagers()
> > >>
> > >> > Thanks
> > >> > Flavio
> > >> >
> > >>
> > >>
> > >>
> > >> --
> > >> Kiran Ayyagari
> > >> http://keydap.com
> > >>
> > >
> > >
> >
> >
> > --
> > Kiran Ayyagari
> > http://keydap.com
> >
>



-- 
Kiran Ayyagari
http://keydap.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message