directory-api mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Flavio Mattos <flaviomatto...@gmail.com>
Subject Re: LdapNetworkConnection - SSL handshake failed
Date Tue, 18 Mar 2014 17:23:48 GMT
here it is.. it was attached with the last email as well...

Thanks

513 [NioProcessor-1] WARN
org.apache.directory.ldap.client.api.LdapNetworkConnection - SSL handshake
failed.
javax.net.ssl.SSLHandshakeException: SSL handshake failed.
at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:487)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417)
 at
org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:765)
 at
org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:109)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417)
 at
org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:410)
at
org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:710)
 at
org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:664)
at
org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:653)
 at
org.apache.mina.core.polling.AbstractPollingIoProcessor.access$600(AbstractPollingIoProcessor.java:67)
at
org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:1124)
 at
org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
 at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:724)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1362)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513)
 at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1177)
at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1149)
 at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
at org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:578)
 at
org.apache.mina.filter.ssl.SslHandler.messageReceived(SslHandler.java:351)
at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:468)
 ... 15 more
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
 at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1683)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:278)
 at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
 at
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
 at sun.security.ssl.Handshaker$1.run(Handshaker.java:808)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:806)
 at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1299)
 at org.apache.mina.filter.ssl.SslHandler.doTasks(SslHandler.java:759)
at org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:544)
 ... 17 more
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
 at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
 at sun.security.validator.Validator.validate(Validator.java:260)
at
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
 at
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:283)
at
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:138)
 at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1328)
... 25 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
 at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
 at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
... 31 more
714 [main] ERROR org.apache.directory.ldap.client.api.LdapNetworkConnection
- Message failed : something wrong has occurred
org.apache.directory.ldap.client.api.exception.InvalidConnectionException:
SSL handshake failed.
at
org.apache.directory.ldap.client.api.LdapNetworkConnection.writeRequest(LdapNetworkConnection.java:3939)
 at
org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1178)
at
org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1076)
 at
org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:934)
at com.hyperwallet.ldap.connection.SandBox.main(SandBox.java:57)




On Tue, Mar 18, 2014 at 10:21 AM, Kiran Ayyagari <kayyagari@apache.org>wrote:

> On Tue, Mar 18, 2014 at 10:44 PM, Flavio Mattos <flaviomattos86@gmail.com
> >wrote:
>
> > Hi Kiran.. thank you for replying my message...
> >
> > I tried to do what you suggested and it did not work. I have attached the
> > stack trace.. it keeps giving me LdapNetworkConnection - SSL handshake
> > failed.
> >
> please post the stacktrace as well
>
> >
> > public static void initConnection() throws LdapException, IOException {
> >      if (conn == null) {
> >             LdapConnectionConfig connectionConfig = new
> > LdapConnectionConfig();
> >             connectionConfig.setLdapHost("myhost");
> >             connectionConfig.setLdapPort(636);
> >             connectionConfig.setName("cn=Manager,dc=example,dc=com");
> >             connectionConfig.setCredentials("mypass");
> >             connectionConfig.setUseSsl(true);
> >             connectionConfig.setSslProtocol("SSLv3");
> >             conn = new LdapNetworkConnection(connectionConfig);
> >
> >             conn.connect();
> >             conn.bind();
> >
> >         }
> > }
> >
> > I also tried the following code using tls and trustmanagers but this time
> > it gives me a Protocol error
> >
> > org.apache.directory.api.ldap.model.exception.LdapOperationException:
> > PROTOCOL_ERROR: The server will disconnect!
> > at
> >
> org.apache.directory.ldap.client.api.LdapNetworkConnection.startTls(LdapNetworkConnection.java:3678)
> >
> > public static void initConnection() throws LdapException, IOException {
> >
> >
> >         if (conn == null) {
> >             LdapConnectionConfig connectionConfig = new
> > LdapConnectionConfig();
> >
> >             try {
> >
> >                 FileInputStream fis = new FileInputStream("server.jks");
> >
> >                 TrustManagerFactory tmf =
> >
> TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
> >
> >                 KeyStore keyStore =
> > KeyStore.getInstance(KeyStore.getDefaultType());
> >
> >                 char[] password = new String("myCertPass").toCharArray();
> >
> >                 keyStore.load(fis, password);
> >
> >                 tmf.init(keyStore);
> >
> >
> connectionConfig.setTrustManagers(tmf.getTrustManagers());
> >
> >             } catch (NoSuchAlgorithmException ex) {
> >                 ex.printStackTrace(System.out);
> >             } catch (KeyStoreException ex) {
> >                 ex.printStackTrace(System.out);
> >             } catch (CertificateException ex) {
> >                 ex.printStackTrace(System.out);
> >             }
> >
> >             connectionConfig.setLdapHost("myhost");
> >             connectionConfig.setLdapPort(636);
> >             connectionConfig.setName("cn=Manager,dc=example,dc=com");
> >             connectionConfig.setCredentials("mypass");
> >             connectionConfig.setSslProtocol("SSLv3");
> >             connectionConfig.setUseTls(true);
> >             conn = new LdapNetworkConnection(connectionConfig);
> >             conn.connect();
> >             conn.startTls();
> >
> >         }
> >
> >     }
> >
> >
> > Thanks in advance
> >
> > Flavio
> >
> >
> > On Mon, Mar 17, 2014 at 7:33 PM, Kiran Ayyagari <kayyagari@apache.org
> >wrote:
> >
> >> On Tue, Mar 18, 2014 at 6:36 AM, Flavio Mattos <
> flaviomattos86@gmail.com
> >> >wrote:
> >>
> >> > Hi guys..
> >> >
> >> > I have been trying to connect to an open ldap server using ssl/ldaps
> >> > I can connect to that server using apache studio(via ldaps) and I
> would
> >> > like to connect to the same server using the apache api.
> >> >
> >> > This is the code... One detail is that I generated the key in the
> server
> >> > using openssl
> >> >
> >> >
> >> > Then I have done some research and some people say that I need to
> >> generate
> >> > a key in the java pattern.. so  then I generated a PKCS #12 key store
> >> using
> >> > something like
> >> >
> >> > you don't need to do this unless you want your client to be verified
> >> with
> >> the server
> >>
> >> > openssl pkcs12 -export -in cert.pem -inkey key.pem > server.p12
> >> > and then
> >> > keytool -importkeystore -srckeystore server.p12 -destkeystore
> server.jks
> >> > -srcstoretype pkcs12
> >> >
> >> >
> >> > I have attached the stacktrace..
> >> > The exception happens in the bind method
> >> >
> >> > public static void initConnection() throws LdapException, IOException
> {
> >> >
> >> > LdapConnection conn ...
> >> >
> >> >         if (conn == null) {
> >> >             LdapConnectionConfig connectionConfig = new
> >> > LdapConnectionConfig();
> >> >             KeyManagerFactory keyManagerFactory = null;
> >> >             try {
> >> >
> >> >                 FileInputStream fis = new
> FileInputStream("server.jks");
> >> >
> >> >
> >> >                 keyManagerFactory =
> >> > KeyManagerFactory.getInstance("SunX509");
> >> >                 KeyStore keyStore =
> >> > KeyStore.getInstance(KeyStore.getDefaultType());
> >> >                 char[] password = new
> String("mykeyPass").toCharArray();
> >> >
> >> >                 keyStore.load(fis, password);
> >> >
> >> >                 keyManagerFactory.init(keyStore, password);
> >> >
> >> >                 keyManagerFactory.getKeyManagers();
> >> >
> >> > connectionConfig.setKeyManagers(keyManagerFactory.getKeyManagers());
> >> >
> >> >             } catch (NoSuchAlgorithmException ex) {
> >> >                 ex.printStackTrace(System.out);
> >> >             } catch (KeyStoreException ex) {
> >> >                 ex.printStackTrace(System.out);
> >> >             } catch (UnrecoverableKeyException ex) {
> >> >                 ex.printStackTrace(System.out);
> >> >             } catch (CertificateException ex) {
> >> >                 ex.printStackTrace(System.out);
> >> >             }
> >> >
> >> >
> >> just drop all the above KeyManager code and the client will work.
> >>
> >> >             connectionConfig.setLdapHost("myhost");
> >> >             connectionConfig.setLdapPort(636);
> >> >             connectionConfig.setName("cn=Manager,dc=example,dc=com");
> >> >             connectionConfig.setCredentials("mypass");
> >> >             connectionConfig.setUseSsl(true);
> >> >             connectionConfig.setSslProtocol("SSLv3");
> >> >             conn = new LdapNetworkConnection(connectionConfig);
> >> >
> >> >             conn.connect();
> >> >     conn.bind();
> >> >
> >> >         }
> >> >
> >> > note that by default the client will trust any X509 certificate used
> by
> >> the server, if you want
> >> to restrict it then a custom trust manager must be provided and set
> using
> >> connectionConfig.setTrustManagers()
> >>
> >> > Thanks
> >> > Flavio
> >> >
> >>
> >>
> >>
> >> --
> >> Kiran Ayyagari
> >> http://keydap.com
> >>
> >
> >
>
>
> --
> Kiran Ayyagari
> http://keydap.com
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message