Return-Path: X-Original-To: apmail-directory-api-archive@minotaur.apache.org Delivered-To: apmail-directory-api-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 889F2107F1 for ; Tue, 18 Mar 2014 17:39:23 +0000 (UTC) Received: (qmail 85840 invoked by uid 500); 18 Mar 2014 17:39:22 -0000 Delivered-To: apmail-directory-api-archive@directory.apache.org Received: (qmail 85759 invoked by uid 500); 18 Mar 2014 17:39:20 -0000 Mailing-List: contact api-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: api@directory.apache.org Delivered-To: mailing list api@directory.apache.org Received: (qmail 85751 invoked by uid 99); 18 Mar 2014 17:39:20 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 18 Mar 2014 17:39:20 +0000 X-ASF-Spam-Status: No, hits=1.7 required=5.0 tests=FREEMAIL_ENVFROM_END_DIGIT,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of flaviomattos86@gmail.com designates 74.125.82.42 as permitted sender) Received: from [74.125.82.42] (HELO mail-wg0-f42.google.com) (74.125.82.42) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 18 Mar 2014 17:39:13 +0000 Received: by mail-wg0-f42.google.com with SMTP id y10so6131020wgg.13 for ; Tue, 18 Mar 2014 10:38:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=Bw5UpP5aYzpsgoP7tDZ6D1SaNPNqGUByf+FL1QVU154=; b=JLZiiWpT1aDE91pBA8Mo1BceceJProOuREx9VL1TcTYAMaHMjrvCUg37qg4A6Hvkkp ZWuDqNqa/bTlH13UE5Bc9z14mVNCvH93dQmh2f5SKx41MuBD506hFFyi/O7Y0oeMvMw8 1a1f585PUwBD6Y5DM0aegUUqljHwPrxpRMRv+iEF+iEAC8wcVE4u+AA1HM+Lo7KnDGw9 4erVXp1jAPRuZHptOhKNz4ntwif23/eTrkzoMjRzG4efWlvtmYw2aAP+SVCn8swux6n8 O3VKEM7m15W0VzsQIkzal5axJQLG2GZ17N/iIC+OOMQW9vzD1vz3MhzXEE7RYMc0oX5B 37zQ== X-Received: by 10.180.97.98 with SMTP id dz2mr764879wib.21.1395164333023; Tue, 18 Mar 2014 10:38:53 -0700 (PDT) MIME-Version: 1.0 Received: by 10.217.51.201 with HTTP; Tue, 18 Mar 2014 10:38:12 -0700 (PDT) In-Reply-To: References: From: Flavio Mattos Date: Tue, 18 Mar 2014 10:38:12 -0700 Message-ID: Subject: Re: LdapNetworkConnection - SSL handshake failed To: "api@directory.apache.org" Content-Type: multipart/alternative; boundary=f46d0442713279427d04f4e50226 X-Virus-Checked: Checked by ClamAV on apache.org --f46d0442713279427d04f4e50226 Content-Type: text/plain; charset=ISO-8859-1 Kiran.. thank you so much for your time.. it worked!.. I am posting the code.. just in case someone needs it.. public static void initConnection() throws LdapException, IOException { if (conn == null) { LdapConnectionConfig connectionConfig = new LdapConnectionConfig(); connectionConfig.setTrustManagers(new NoVerificationTrustManager()); connectionConfig.setLdapHost("myhost"); connectionConfig.setLdapPort(636); connectionConfig.setName("cn=Manager,dc=example,dc=com"); connectionConfig.setCredentials("mypass"); connectionConfig.setSslProtocol("SSLv3"); connectionConfig.setUseSsl(true); conn = new LdapNetworkConnection(connectionConfig); conn.connect(); } } On Tue, Mar 18, 2014 at 10:30 AM, Kiran Ayyagari wrote: > On Tue, Mar 18, 2014 at 10:53 PM, Flavio Mattos >wrote: > > > here it is.. it was attached with the last email as well... > > > > attachments get stripped by ASF mailer > > > Thanks > > > > 513 [NioProcessor-1] WARN > > org.apache.directory.ldap.client.api.LdapNetworkConnection - SSL > handshake > > failed. > > javax.net.ssl.SSLHandshakeException: SSL handshake failed. > > at > org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:487) > > at > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417) > > at > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47) > > at > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:765) > > at > > > > > org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:109) > > at > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417) > > at > > > > > org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:410) > > at > > > > > org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:710) > > at > > > > > org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:664) > > at > > > > > org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:653) > > at > > > > > org.apache.mina.core.polling.AbstractPollingIoProcessor.access$600(AbstractPollingIoProcessor.java:67) > > at > > > > > org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:1124) > > at > > > > > org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64) > > at > > > > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > > at > > > > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > > at java.lang.Thread.run(Thread.java:724) > > Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem > > at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1362) > > at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513) > > at > sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1177) > > at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1149) > > at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469) > > at org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:578) > > at > > > org.apache.mina.filter.ssl.SslHandler.messageReceived(SslHandler.java:351) > > at > org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:468) > > ... 15 more > > Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem > > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) > > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1683) > > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:278) > > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270) > > at > > > > > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341) > > at > > > sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153) > > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868) > > at sun.security.ssl.Handshaker$1.run(Handshaker.java:808) > > at sun.security.ssl.Handshaker$1.run(Handshaker.java:806) > > at java.security.AccessController.doPrivileged(Native Method) > > at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1299) > > at org.apache.mina.filter.ssl.SslHandler.doTasks(SslHandler.java:759) > > at org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:544) > > ... 17 more > > Caused by: sun.security.validator.ValidatorException: PKIX path building > > failed: sun.security.provider.certpath.SunCertPathBuilderException: > unable > > to find valid certification path to requested target > > > this is happening due to the default TrustManager set by default in > LdapConnectionConfig > > > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385) > > at > > > sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) > > at sun.security.validator.Validator.validate(Validator.java:260) > > at > > > > > sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326) > > at > > > > > sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:283) > > at > > > > > sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:138) > > at > > > > > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1328) > > ... 25 more > > Caused by: sun.security.provider.certpath.SunCertPathBuilderException: > > unable to find valid certification path to requested target > > at > > > > > sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196) > > at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) > > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) > > ... 31 more > > 714 [main] ERROR > org.apache.directory.ldap.client.api.LdapNetworkConnection > > - Message failed : something wrong has occurred > > > org.apache.directory.ldap.client.api.exception.InvalidConnectionException: > > SSL handshake failed. > > at > > > > > org.apache.directory.ldap.client.api.LdapNetworkConnection.writeRequest(LdapNetworkConnection.java:3939) > > at > > > > > org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1178) > > at > > > > > org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1076) > > at > > > > > org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:934) > > at com.hyperwallet.ldap.connection.SandBox.main(SandBox.java:57) > > > > > > > > > > On Tue, Mar 18, 2014 at 10:21 AM, Kiran Ayyagari > >wrote: > > > > > On Tue, Mar 18, 2014 at 10:44 PM, Flavio Mattos < > > flaviomattos86@gmail.com > > > >wrote: > > > > > > > Hi Kiran.. thank you for replying my message... > > > > > > > > I tried to do what you suggested and it did not work. I have attached > > the > > > > stack trace.. it keeps giving me LdapNetworkConnection - SSL > handshake > > > > failed. > > > > > > > please post the stacktrace as well > > > > > > > > > > > public static void initConnection() throws LdapException, > IOException { > > > > if (conn == null) { > > > > LdapConnectionConfig connectionConfig = new > > > > LdapConnectionConfig(); > > > > connectionConfig.setLdapHost("myhost"); > > > > connectionConfig.setLdapPort(636); > > > > connectionConfig.setName("cn=Manager,dc=example,dc=com"); > > > > connectionConfig.setCredentials("mypass"); > > > > connectionConfig.setUseSsl(true); > > > > connectionConfig.setSslProtocol("SSLv3"); > > > add the below line here > connectionConfig.setTrustManagers(new NoVerificationTrustManager()); // add > the appropriate import > > > > > conn = new LdapNetworkConnection(connectionConfig); > > > > > > > > conn.connect(); > > > > conn.bind(); > > > > > > > > } > > > > } > > > > > > > > I also tried the following code using tls and trustmanagers but this > > time > > > > it gives me a Protocol error > > > > > > > the same fix(mentioned above) will work here, and also for TLS you _should_ > use the non-SSL port > > > > > org.apache.directory.api.ldap.model.exception.LdapOperationException: > > > > PROTOCOL_ERROR: The server will disconnect! > > > > at > > > > > > > > > > org.apache.directory.ldap.client.api.LdapNetworkConnection.startTls(LdapNetworkConnection.java:3678) > > > > > > > > public static void initConnection() throws LdapException, > IOException { > > > > > > > > > > > > if (conn == null) { > > > > LdapConnectionConfig connectionConfig = new > > > > LdapConnectionConfig(); > > > > > > > > try { > > > > > > > > FileInputStream fis = new > > FileInputStream("server.jks"); > > > > > > > > TrustManagerFactory tmf = > > > > > > > > > > TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); > > > > > > > > KeyStore keyStore = > > > > KeyStore.getInstance(KeyStore.getDefaultType()); > > > > > > > > char[] password = new > > String("myCertPass").toCharArray(); > > > > > > > > keyStore.load(fis, password); > > > > > > > > tmf.init(keyStore); > > > > > > > > > > > connectionConfig.setTrustManagers(tmf.getTrustManagers()); > > > > > > > > } catch (NoSuchAlgorithmException ex) { > > > > ex.printStackTrace(System.out); > > > > } catch (KeyStoreException ex) { > > > > ex.printStackTrace(System.out); > > > > } catch (CertificateException ex) { > > > > ex.printStackTrace(System.out); > > > > } > > > > > > > > connectionConfig.setLdapHost("myhost"); > > > > connectionConfig.setLdapPort(636); > > > > connectionConfig.setName("cn=Manager,dc=example,dc=com"); > > > > connectionConfig.setCredentials("mypass"); > > > > connectionConfig.setSslProtocol("SSLv3"); > > > > connectionConfig.setUseTls(true); > > > > conn = new LdapNetworkConnection(connectionConfig); > > > > conn.connect(); > > > > conn.startTls(); > > > > > > > > } > > > > > > > > } > > > > > > > > > > > > Thanks in advance > > > > > > > > Flavio > > > > > > > > > > > > On Mon, Mar 17, 2014 at 7:33 PM, Kiran Ayyagari < > kayyagari@apache.org > > > >wrote: > > > > > > > >> On Tue, Mar 18, 2014 at 6:36 AM, Flavio Mattos < > > > flaviomattos86@gmail.com > > > >> >wrote: > > > >> > > > >> > Hi guys.. > > > >> > > > > >> > I have been trying to connect to an open ldap server using > ssl/ldaps > > > >> > I can connect to that server using apache studio(via ldaps) and I > > > would > > > >> > like to connect to the same server using the apache api. > > > >> > > > > >> > This is the code... One detail is that I generated the key in the > > > server > > > >> > using openssl > > > >> > > > > >> > > > > >> > Then I have done some research and some people say that I need to > > > >> generate > > > >> > a key in the java pattern.. so then I generated a PKCS #12 key > > store > > > >> using > > > >> > something like > > > >> > > > > >> > you don't need to do this unless you want your client to be > verified > > > >> with > > > >> the server > > > >> > > > >> > openssl pkcs12 -export -in cert.pem -inkey key.pem > server.p12 > > > >> > and then > > > >> > keytool -importkeystore -srckeystore server.p12 -destkeystore > > > server.jks > > > >> > -srcstoretype pkcs12 > > > >> > > > > >> > > > > >> > I have attached the stacktrace.. > > > >> > The exception happens in the bind method > > > >> > > > > >> > public static void initConnection() throws LdapException, > > IOException > > > { > > > >> > > > > >> > LdapConnection conn ... > > > >> > > > > >> > if (conn == null) { > > > >> > LdapConnectionConfig connectionConfig = new > > > >> > LdapConnectionConfig(); > > > >> > KeyManagerFactory keyManagerFactory = null; > > > >> > try { > > > >> > > > > >> > FileInputStream fis = new > > > FileInputStream("server.jks"); > > > >> > > > > >> > > > > >> > keyManagerFactory = > > > >> > KeyManagerFactory.getInstance("SunX509"); > > > >> > KeyStore keyStore = > > > >> > KeyStore.getInstance(KeyStore.getDefaultType()); > > > >> > char[] password = new > > > String("mykeyPass").toCharArray(); > > > >> > > > > >> > keyStore.load(fis, password); > > > >> > > > > >> > keyManagerFactory.init(keyStore, password); > > > >> > > > > >> > keyManagerFactory.getKeyManagers(); > > > >> > > > > >> > > connectionConfig.setKeyManagers(keyManagerFactory.getKeyManagers()); > > > >> > > > > >> > } catch (NoSuchAlgorithmException ex) { > > > >> > ex.printStackTrace(System.out); > > > >> > } catch (KeyStoreException ex) { > > > >> > ex.printStackTrace(System.out); > > > >> > } catch (UnrecoverableKeyException ex) { > > > >> > ex.printStackTrace(System.out); > > > >> > } catch (CertificateException ex) { > > > >> > ex.printStackTrace(System.out); > > > >> > } > > > >> > > > > >> > > > > >> just drop all the above KeyManager code and the client will work. > > > >> > > > >> > connectionConfig.setLdapHost("myhost"); > > > >> > connectionConfig.setLdapPort(636); > > > >> > > > connectionConfig.setName("cn=Manager,dc=example,dc=com"); > > > >> > connectionConfig.setCredentials("mypass"); > > > >> > connectionConfig.setUseSsl(true); > > > >> > connectionConfig.setSslProtocol("SSLv3"); > > > >> > conn = new LdapNetworkConnection(connectionConfig); > > > >> > > > > >> > conn.connect(); > > > >> > conn.bind(); > > > >> > > > > >> > } > > > >> > > > > >> > note that by default the client will trust any X509 certificate > used > > > by > > > >> the server, if you want > > > >> to restrict it then a custom trust manager must be provided and set > > > using > > > >> connectionConfig.setTrustManagers() > > > >> > > > >> > Thanks > > > >> > Flavio > > > >> > > > > >> > > > >> > > > >> > > > >> -- > > > >> Kiran Ayyagari > > > >> http://keydap.com > > > >> > > > > > > > > > > > > > > > > > -- > > > Kiran Ayyagari > > > http://keydap.com > > > > > > > > > -- > Kiran Ayyagari > http://keydap.com > --f46d0442713279427d04f4e50226--