directory-api mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Flavio Mattos <flaviomatto...@gmail.com>
Subject Re: LdapNetworkConnection - SSL handshake failed
Date Tue, 18 Mar 2014 17:38:12 GMT
Kiran.. thank you so much for your time.. it worked!..
I am posting the code.. just in case someone needs it..

public static void initConnection() throws LdapException, IOException {

        if (conn == null) {
            LdapConnectionConfig connectionConfig = new
LdapConnectionConfig();
            connectionConfig.setTrustManagers(new
NoVerificationTrustManager());
            connectionConfig.setLdapHost("myhost");
            connectionConfig.setLdapPort(636);
            connectionConfig.setName("cn=Manager,dc=example,dc=com");
            connectionConfig.setCredentials("mypass");
            connectionConfig.setSslProtocol("SSLv3");
            connectionConfig.setUseSsl(true);

            conn = new LdapNetworkConnection(connectionConfig);
            conn.connect();

        }

    }


On Tue, Mar 18, 2014 at 10:30 AM, Kiran Ayyagari <kayyagari@apache.org>wrote:

> On Tue, Mar 18, 2014 at 10:53 PM, Flavio Mattos <flaviomattos86@gmail.com
> >wrote:
>
> > here it is.. it was attached with the last email as well...
> >
> > attachments get stripped by ASF mailer
>
> > Thanks
> >
> > 513 [NioProcessor-1] WARN
> > org.apache.directory.ldap.client.api.LdapNetworkConnection - SSL
> handshake
> > failed.
> > javax.net.ssl.SSLHandshakeException: SSL handshake failed.
> > at
> org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:487)
> > at
> >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417)
> >  at
> >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47)
> > at
> >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:765)
> >  at
> >
> >
> org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:109)
> > at
> >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417)
> >  at
> >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:410)
> > at
> >
> >
> org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:710)
> >  at
> >
> >
> org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:664)
> > at
> >
> >
> org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:653)
> >  at
> >
> >
> org.apache.mina.core.polling.AbstractPollingIoProcessor.access$600(AbstractPollingIoProcessor.java:67)
> > at
> >
> >
> org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:1124)
> >  at
> >
> >
> org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
> > at
> >
> >
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> >  at
> >
> >
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> > at java.lang.Thread.run(Thread.java:724)
> > Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
> > at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1362)
> > at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513)
> >  at
> sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1177)
> > at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1149)
> >  at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
> > at org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:578)
> >  at
> >
> org.apache.mina.filter.ssl.SslHandler.messageReceived(SslHandler.java:351)
> > at
> org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:468)
> >  ... 15 more
> > Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
> > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> >  at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1683)
> > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:278)
> >  at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
> > at
> >
> >
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
> >  at
> >
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
> > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
> >  at sun.security.ssl.Handshaker$1.run(Handshaker.java:808)
> > at sun.security.ssl.Handshaker$1.run(Handshaker.java:806)
> >  at java.security.AccessController.doPrivileged(Native Method)
> > at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1299)
> >  at org.apache.mina.filter.ssl.SslHandler.doTasks(SslHandler.java:759)
> > at org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:544)
> >  ... 17 more
> > Caused by: sun.security.validator.ValidatorException: PKIX path building
> > failed: sun.security.provider.certpath.SunCertPathBuilderException:
> unable
> > to find valid certification path to requested target
> >
> this is happening due to the default TrustManager set by default in
> LdapConnectionConfig
>
> >  at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
> > at
> >
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
> >  at sun.security.validator.Validator.validate(Validator.java:260)
> > at
> >
> >
> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
> >  at
> >
> >
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:283)
> > at
> >
> >
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:138)
> >  at
> >
> >
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1328)
> > ... 25 more
> > Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> > unable to find valid certification path to requested target
> >  at
> >
> >
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
> > at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
> >  at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
> > ... 31 more
> > 714 [main] ERROR
> org.apache.directory.ldap.client.api.LdapNetworkConnection
> > - Message failed : something wrong has occurred
> >
> org.apache.directory.ldap.client.api.exception.InvalidConnectionException:
> > SSL handshake failed.
> > at
> >
> >
> org.apache.directory.ldap.client.api.LdapNetworkConnection.writeRequest(LdapNetworkConnection.java:3939)
> >  at
> >
> >
> org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1178)
> > at
> >
> >
> org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1076)
> >  at
> >
> >
> org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:934)
> > at com.hyperwallet.ldap.connection.SandBox.main(SandBox.java:57)
> >
> >
> >
> >
> > On Tue, Mar 18, 2014 at 10:21 AM, Kiran Ayyagari <kayyagari@apache.org
> > >wrote:
> >
> > > On Tue, Mar 18, 2014 at 10:44 PM, Flavio Mattos <
> > flaviomattos86@gmail.com
> > > >wrote:
> > >
> > > > Hi Kiran.. thank you for replying my message...
> > > >
> > > > I tried to do what you suggested and it did not work. I have attached
> > the
> > > > stack trace.. it keeps giving me LdapNetworkConnection - SSL
> handshake
> > > > failed.
> > > >
> > > please post the stacktrace as well
> > >
> > > >
> > > > public static void initConnection() throws LdapException,
> IOException {
> > > >      if (conn == null) {
> > > >             LdapConnectionConfig connectionConfig = new
> > > > LdapConnectionConfig();
> > > >             connectionConfig.setLdapHost("myhost");
> > > >             connectionConfig.setLdapPort(636);
> > > >             connectionConfig.setName("cn=Manager,dc=example,dc=com");
> > > >             connectionConfig.setCredentials("mypass");
> > > >             connectionConfig.setUseSsl(true);
> > > >             connectionConfig.setSslProtocol("SSLv3");
> >
> add the below line here
> connectionConfig.setTrustManagers(new NoVerificationTrustManager()); // add
> the appropriate import
>
> > > >             conn = new LdapNetworkConnection(connectionConfig);
> > > >
> > > >             conn.connect();
> > > >             conn.bind();
> > > >
> > > >         }
> > > > }
> > > >
> > > > I also tried the following code using tls and trustmanagers but this
> > time
> > > > it gives me a Protocol error
> > > >
> >
> the same fix(mentioned above) will work here, and also for TLS you _should_
> use the non-SSL port
>
> > > > org.apache.directory.api.ldap.model.exception.LdapOperationException:
> > > > PROTOCOL_ERROR: The server will disconnect!
> > > > at
> > > >
> > >
> >
> org.apache.directory.ldap.client.api.LdapNetworkConnection.startTls(LdapNetworkConnection.java:3678)
> > > >
> > > > public static void initConnection() throws LdapException,
> IOException {
> > > >
> > > >
> > > >         if (conn == null) {
> > > >             LdapConnectionConfig connectionConfig = new
> > > > LdapConnectionConfig();
> > > >
> > > >             try {
> > > >
> > > >                 FileInputStream fis = new
> > FileInputStream("server.jks");
> > > >
> > > >                 TrustManagerFactory tmf =
> > > >
> > >
> >
> TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
> > > >
> > > >                 KeyStore keyStore =
> > > > KeyStore.getInstance(KeyStore.getDefaultType());
> > > >
> > > >                 char[] password = new
> > String("myCertPass").toCharArray();
> > > >
> > > >                 keyStore.load(fis, password);
> > > >
> > > >                 tmf.init(keyStore);
> > > >
> > > >
> > > connectionConfig.setTrustManagers(tmf.getTrustManagers());
> > > >
> > > >             } catch (NoSuchAlgorithmException ex) {
> > > >                 ex.printStackTrace(System.out);
> > > >             } catch (KeyStoreException ex) {
> > > >                 ex.printStackTrace(System.out);
> > > >             } catch (CertificateException ex) {
> > > >                 ex.printStackTrace(System.out);
> > > >             }
> > > >
> > > >             connectionConfig.setLdapHost("myhost");
> > > >             connectionConfig.setLdapPort(636);
> > > >             connectionConfig.setName("cn=Manager,dc=example,dc=com");
> > > >             connectionConfig.setCredentials("mypass");
> > > >             connectionConfig.setSslProtocol("SSLv3");
> > > >             connectionConfig.setUseTls(true);
> > > >             conn = new LdapNetworkConnection(connectionConfig);
> > > >             conn.connect();
> > > >             conn.startTls();
> > > >
> > > >         }
> > > >
> > > >     }
> > > >
> > > >
> > > > Thanks in advance
> > > >
> > > > Flavio
> > > >
> > > >
> > > > On Mon, Mar 17, 2014 at 7:33 PM, Kiran Ayyagari <
> kayyagari@apache.org
> > > >wrote:
> > > >
> > > >> On Tue, Mar 18, 2014 at 6:36 AM, Flavio Mattos <
> > > flaviomattos86@gmail.com
> > > >> >wrote:
> > > >>
> > > >> > Hi guys..
> > > >> >
> > > >> > I have been trying to connect to an open ldap server using
> ssl/ldaps
> > > >> > I can connect to that server using apache studio(via ldaps) and
I
> > > would
> > > >> > like to connect to the same server using the apache api.
> > > >> >
> > > >> > This is the code... One detail is that I generated the key in
the
> > > server
> > > >> > using openssl
> > > >> >
> > > >> >
> > > >> > Then I have done some research and some people say that I need
to
> > > >> generate
> > > >> > a key in the java pattern.. so  then I generated a PKCS #12 key
> > store
> > > >> using
> > > >> > something like
> > > >> >
> > > >> > you don't need to do this unless you want your client to be
> verified
> > > >> with
> > > >> the server
> > > >>
> > > >> > openssl pkcs12 -export -in cert.pem -inkey key.pem > server.p12
> > > >> > and then
> > > >> > keytool -importkeystore -srckeystore server.p12 -destkeystore
> > > server.jks
> > > >> > -srcstoretype pkcs12
> > > >> >
> > > >> >
> > > >> > I have attached the stacktrace..
> > > >> > The exception happens in the bind method
> > > >> >
> > > >> > public static void initConnection() throws LdapException,
> > IOException
> > > {
> > > >> >
> > > >> > LdapConnection conn ...
> > > >> >
> > > >> >         if (conn == null) {
> > > >> >             LdapConnectionConfig connectionConfig = new
> > > >> > LdapConnectionConfig();
> > > >> >             KeyManagerFactory keyManagerFactory = null;
> > > >> >             try {
> > > >> >
> > > >> >                 FileInputStream fis = new
> > > FileInputStream("server.jks");
> > > >> >
> > > >> >
> > > >> >                 keyManagerFactory =
> > > >> > KeyManagerFactory.getInstance("SunX509");
> > > >> >                 KeyStore keyStore =
> > > >> > KeyStore.getInstance(KeyStore.getDefaultType());
> > > >> >                 char[] password = new
> > > String("mykeyPass").toCharArray();
> > > >> >
> > > >> >                 keyStore.load(fis, password);
> > > >> >
> > > >> >                 keyManagerFactory.init(keyStore, password);
> > > >> >
> > > >> >                 keyManagerFactory.getKeyManagers();
> > > >> >
> > > >> >
> connectionConfig.setKeyManagers(keyManagerFactory.getKeyManagers());
> > > >> >
> > > >> >             } catch (NoSuchAlgorithmException ex) {
> > > >> >                 ex.printStackTrace(System.out);
> > > >> >             } catch (KeyStoreException ex) {
> > > >> >                 ex.printStackTrace(System.out);
> > > >> >             } catch (UnrecoverableKeyException ex) {
> > > >> >                 ex.printStackTrace(System.out);
> > > >> >             } catch (CertificateException ex) {
> > > >> >                 ex.printStackTrace(System.out);
> > > >> >             }
> > > >> >
> > > >> >
> > > >> just drop all the above KeyManager code and the client will work.
> > > >>
> > > >> >             connectionConfig.setLdapHost("myhost");
> > > >> >             connectionConfig.setLdapPort(636);
> > > >> >
> > connectionConfig.setName("cn=Manager,dc=example,dc=com");
> > > >> >             connectionConfig.setCredentials("mypass");
> > > >> >             connectionConfig.setUseSsl(true);
> > > >> >             connectionConfig.setSslProtocol("SSLv3");
> > > >> >             conn = new LdapNetworkConnection(connectionConfig);
> > > >> >
> > > >> >             conn.connect();
> > > >> >     conn.bind();
> > > >> >
> > > >> >         }
> > > >> >
> > > >> > note that by default the client will trust any X509 certificate
> used
> > > by
> > > >> the server, if you want
> > > >> to restrict it then a custom trust manager must be provided and set
> > > using
> > > >> connectionConfig.setTrustManagers()
> > > >>
> > > >> > Thanks
> > > >> > Flavio
> > > >> >
> > > >>
> > > >>
> > > >>
> > > >> --
> > > >> Kiran Ayyagari
> > > >> http://keydap.com
> > > >>
> > > >
> > > >
> > >
> > >
> > > --
> > > Kiran Ayyagari
> > > http://keydap.com
> > >
> >
>
>
>
> --
> Kiran Ayyagari
> http://keydap.com
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message