directory-api mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <kayyag...@apache.org>
Subject Re: LdapNetworkConnection - SSL handshake failed
Date Tue, 18 Mar 2014 02:33:04 GMT
On Tue, Mar 18, 2014 at 6:36 AM, Flavio Mattos <flaviomattos86@gmail.com>wrote:

> Hi guys..
>
> I have been trying to connect to an open ldap server using ssl/ldaps
> I can connect to that server using apache studio(via ldaps) and I would
> like to connect to the same server using the apache api.
>
> This is the code... One detail is that I generated the key in the server
> using openssl
>
>
> Then I have done some research and some people say that I need to generate
> a key in the java pattern.. so  then I generated a PKCS #12 key store using
> something like
>
> you don't need to do this unless you want your client to be verified with
the server

> openssl pkcs12 -export -in cert.pem -inkey key.pem > server.p12
> and then
> keytool -importkeystore -srckeystore server.p12 -destkeystore server.jks
> -srcstoretype pkcs12
>
>
> I have attached the stacktrace..
> The exception happens in the bind method
>
> public static void initConnection() throws LdapException, IOException {
>
> LdapConnection conn ...
>
>         if (conn == null) {
>             LdapConnectionConfig connectionConfig = new
> LdapConnectionConfig();
>             KeyManagerFactory keyManagerFactory = null;
>             try {
>
>                 FileInputStream fis = new FileInputStream("server.jks");
>
>
>                 keyManagerFactory =
> KeyManagerFactory.getInstance("SunX509");
>                 KeyStore keyStore =
> KeyStore.getInstance(KeyStore.getDefaultType());
>                 char[] password = new String("mykeyPass").toCharArray();
>
>                 keyStore.load(fis, password);
>
>                 keyManagerFactory.init(keyStore, password);
>
>                 keyManagerFactory.getKeyManagers();
>
> connectionConfig.setKeyManagers(keyManagerFactory.getKeyManagers());
>
>             } catch (NoSuchAlgorithmException ex) {
>                 ex.printStackTrace(System.out);
>             } catch (KeyStoreException ex) {
>                 ex.printStackTrace(System.out);
>             } catch (UnrecoverableKeyException ex) {
>                 ex.printStackTrace(System.out);
>             } catch (CertificateException ex) {
>                 ex.printStackTrace(System.out);
>             }
>
>
just drop all the above KeyManager code and the client will work.

>             connectionConfig.setLdapHost("myhost");
>             connectionConfig.setLdapPort(636);
>             connectionConfig.setName("cn=Manager,dc=example,dc=com");
>             connectionConfig.setCredentials("mypass");
>             connectionConfig.setUseSsl(true);
>             connectionConfig.setSslProtocol("SSLv3");
>             conn = new LdapNetworkConnection(connectionConfig);
>
>             conn.connect();
>     conn.bind();
>
>         }
>
> note that by default the client will trust any X509 certificate used by
the server, if you want
to restrict it then a custom trust manager must be provided and set using
connectionConfig.setTrustManagers()

> Thanks
> Flavio
>



-- 
Kiran Ayyagari
http://keydap.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message