directory-api mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Flavio Mattos <flaviomatto...@gmail.com>
Subject Re: LdapNetworkConnection - SSL handshake failed
Date Tue, 18 Mar 2014 17:14:35 GMT
Hi Kiran.. thank you for replying my message...

I tried to do what you suggested and it did not work. I have attached the
stack trace.. it keeps giving me LdapNetworkConnection - SSL handshake
failed.

public static void initConnection() throws LdapException, IOException {
     if (conn == null) {
            LdapConnectionConfig connectionConfig = new
LdapConnectionConfig();
            connectionConfig.setLdapHost("myhost");
            connectionConfig.setLdapPort(636);
            connectionConfig.setName("cn=Manager,dc=example,dc=com");
            connectionConfig.setCredentials("mypass");
            connectionConfig.setUseSsl(true);
            connectionConfig.setSslProtocol("SSLv3");
            conn = new LdapNetworkConnection(connectionConfig);

            conn.connect();
            conn.bind();

        }
}

I also tried the following code using tls and trustmanagers but this time
it gives me a Protocol error

org.apache.directory.api.ldap.model.exception.LdapOperationException:
PROTOCOL_ERROR: The server will disconnect!
at
org.apache.directory.ldap.client.api.LdapNetworkConnection.startTls(LdapNetworkConnection.java:3678)

public static void initConnection() throws LdapException, IOException {


        if (conn == null) {
            LdapConnectionConfig connectionConfig = new
LdapConnectionConfig();

            try {

                FileInputStream fis = new FileInputStream("server.jks");

                TrustManagerFactory tmf =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());

                KeyStore keyStore =
KeyStore.getInstance(KeyStore.getDefaultType());

                char[] password = new String("myCertPass").toCharArray();

                keyStore.load(fis, password);

                tmf.init(keyStore);

                connectionConfig.setTrustManagers(tmf.getTrustManagers());

            } catch (NoSuchAlgorithmException ex) {
                ex.printStackTrace(System.out);
            } catch (KeyStoreException ex) {
                ex.printStackTrace(System.out);
            } catch (CertificateException ex) {
                ex.printStackTrace(System.out);
            }

            connectionConfig.setLdapHost("myhost");
            connectionConfig.setLdapPort(636);
            connectionConfig.setName("cn=Manager,dc=example,dc=com");
            connectionConfig.setCredentials("mypass");
            connectionConfig.setSslProtocol("SSLv3");
            connectionConfig.setUseTls(true);
            conn = new LdapNetworkConnection(connectionConfig);
            conn.connect();
            conn.startTls();

        }

    }


Thanks in advance

Flavio


On Mon, Mar 17, 2014 at 7:33 PM, Kiran Ayyagari <kayyagari@apache.org>wrote:

> On Tue, Mar 18, 2014 at 6:36 AM, Flavio Mattos <flaviomattos86@gmail.com
> >wrote:
>
> > Hi guys..
> >
> > I have been trying to connect to an open ldap server using ssl/ldaps
> > I can connect to that server using apache studio(via ldaps) and I would
> > like to connect to the same server using the apache api.
> >
> > This is the code... One detail is that I generated the key in the server
> > using openssl
> >
> >
> > Then I have done some research and some people say that I need to
> generate
> > a key in the java pattern.. so  then I generated a PKCS #12 key store
> using
> > something like
> >
> > you don't need to do this unless you want your client to be verified with
> the server
>
> > openssl pkcs12 -export -in cert.pem -inkey key.pem > server.p12
> > and then
> > keytool -importkeystore -srckeystore server.p12 -destkeystore server.jks
> > -srcstoretype pkcs12
> >
> >
> > I have attached the stacktrace..
> > The exception happens in the bind method
> >
> > public static void initConnection() throws LdapException, IOException {
> >
> > LdapConnection conn ...
> >
> >         if (conn == null) {
> >             LdapConnectionConfig connectionConfig = new
> > LdapConnectionConfig();
> >             KeyManagerFactory keyManagerFactory = null;
> >             try {
> >
> >                 FileInputStream fis = new FileInputStream("server.jks");
> >
> >
> >                 keyManagerFactory =
> > KeyManagerFactory.getInstance("SunX509");
> >                 KeyStore keyStore =
> > KeyStore.getInstance(KeyStore.getDefaultType());
> >                 char[] password = new String("mykeyPass").toCharArray();
> >
> >                 keyStore.load(fis, password);
> >
> >                 keyManagerFactory.init(keyStore, password);
> >
> >                 keyManagerFactory.getKeyManagers();
> >
> > connectionConfig.setKeyManagers(keyManagerFactory.getKeyManagers());
> >
> >             } catch (NoSuchAlgorithmException ex) {
> >                 ex.printStackTrace(System.out);
> >             } catch (KeyStoreException ex) {
> >                 ex.printStackTrace(System.out);
> >             } catch (UnrecoverableKeyException ex) {
> >                 ex.printStackTrace(System.out);
> >             } catch (CertificateException ex) {
> >                 ex.printStackTrace(System.out);
> >             }
> >
> >
> just drop all the above KeyManager code and the client will work.
>
> >             connectionConfig.setLdapHost("myhost");
> >             connectionConfig.setLdapPort(636);
> >             connectionConfig.setName("cn=Manager,dc=example,dc=com");
> >             connectionConfig.setCredentials("mypass");
> >             connectionConfig.setUseSsl(true);
> >             connectionConfig.setSslProtocol("SSLv3");
> >             conn = new LdapNetworkConnection(connectionConfig);
> >
> >             conn.connect();
> >     conn.bind();
> >
> >         }
> >
> > note that by default the client will trust any X509 certificate used by
> the server, if you want
> to restrict it then a custom trust manager must be provided and set using
> connectionConfig.setTrustManagers()
>
> > Thanks
> > Flavio
> >
>
>
>
> --
> Kiran Ayyagari
> http://keydap.com
>

Mime
  • Unnamed multipart/mixed (inline, None, 0 bytes)
View raw message