directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mat Gessel <mat.ges...@gmail.com>
Subject Can't connect w/ encryption after loading a custom certificate
Date Tue, 26 Jun 2012 19:30:15 GMT
I can connect using the default certificate that is automatically
created when creating a new server. However, I am unable to connect
when I specify a self-signed certificate for the server (via
uid=admin,ou=system). This problem originally occurred in a Java LDAP
client, however I can wholly reproduce the issue w/ Directory Studio.
Directions are below.

Client error:
javax.net.ssl.SSLHandshakeException: Received fatal alert:
handshake_failure (JDK 6)
javax.net.ssl.SSLKeyException: Server D-H key verification failed (JDK 7)

Reproduced on platforms:
Mac OS 10.6.8
Windows 7 x64

Reproduced on JREs:
Java(TM) SE Runtime Environment (build 1.6.0_33-b03-424-10M3720)
Java(TM) SE Runtime Environment (build 1.7.0_02-b13)

Reproduced in Apache Directory Studio versions:
2.0.0.v20120224
1.5.3.v20100330

Repro
====================
1) create a certificate
keytool -genkeypair -keyalg RSA -keysize 2048 -validity 3650 -alias
localhost -dname "cn=localhost" -keypass changeit -keystore truststore
-storepass changeit
2) export certificate
keytool -exportcert -alias localhost -rfc -keystore truststore
-storepass changeit -file localhost.cer

-----BEGIN CERTIFICATE-----
MIICpDCCAYygAwIBAgIET+n1UTANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDEwls
b2NhbGhvc3QwHhcNMTIwNjI2MTc0NTUzWhcNMjIwNjI0MTc0NTUzWjAUMRIwEAYD
VQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCe
i757nu2QV6lskOggRyFpXe0Kx1DoMVebYzHJkopfRBp3nmaqVQfR119ZkbH5au4V
v1fR0zGmPhOg0S+oeS12fB4Vpd4W94iWkPqxdWfQqa1hzphSLB92be4f5EwBHggT
Ia0v7+FIdS0s2oJz0tgQqHalNTLxuf8A3ZHw7GlBepLRpL6fiQbN43bwSsJb2FGD
XTRTlHI1c/acrPZaibjuVpDmjNxCv0ufShRqlByM19D3QFY6Z6Nt849eD2MIsdQD
VIIkwqW/lJKMNezc0A/NqEsUuQqZr0JtyJhMs/cCaTkMpIh+/e8bUFi+YrlpLI52
TFy331Abd1Q2/IPi46cLAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAJddKZF2AeFT
QYnPG65a5dtWXdx6bmba0GjPacC/DXqLdRNKaKGwGFBN7fHjaigGcToVShaEBOBh
LM/5WUqD/xzdYkKsAHJjz+o8xtLRTBXR7uLnl412ZW5ypCGny5AmZP36G7E1CMPr
1RO9sIlLMBndPBYNw9312qY+daekV4yZ/+iQcJo0p726rYFEno+qUg5+eC8Z8w4Q
Gwl3BvUH2A8l6L66IuhWwGlPVcU6C6jDwVCExFG8dWjv7HPdhKxeoL7owweHpseI
zMDCez5/yrfsMsAO4idmHLJL10NPULPUJ4uCWGeSnrfG3OPUv8cstx8SrL4Ug4PN
+cbb5wmkb08=
-----END CERTIFICATE-----


3) in Directory Studio, Create a new Server
4) Run server
5) right-click on server and create a new connection
6) edit connection and change "Encryption method" to "Use StartTLS extension"
7) change "Provider" to JNDI
8) click OK to save connection
9) Open the connection
10) browse to "uid=admin,ou=system" in DIT
11 edit "userCertificate" entry
12) click "Load certificate"
13) choose localhost.cer
14) click OK to save entry
15) disconnect from server
16) stop server
17) restart Directory Studio (for kicks)
18) Run server
19) connection > Connect
20) in "Certificate Trust" dialog, select "Session" or "Always trust"
Expected Result: connection is established
Actual Result: "Problem Occurred" dialog. Error logs below.

Variations tried
==================
version 1 certificate
version 3 cert w/ SSL extension
Apache Directory LDAP Client API ("SSL handshake failed.")
specifying OU, O & C in cert
use 512 keysize for cert
set cert validity to 1 year
ApacheDS 1.5.3 vs 2.0.0
cert CN = localhost, "staticDnsName"

JRE 7 client log
Error while opening connection
 - Server D-H key verification failed
javax.naming.NamingException: Server D-H key verification failed [Root
exception is javax.net.ssl.SSLKeyException: Server D-H key
verification failed]
	at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper$6.run(JNDIConnectionWrapper.java:926)
	at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.runAndMonitor(JNDIConnectionWrapper.java:1305)
	at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.doConnect(JNDIConnectionWrapper.java:940)
	at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.connect(JNDIConnectionWrapper.java:209)
	at org.apache.directory.studio.connection.core.jobs.OpenConnectionsRunnable.run(OpenConnectionsRunnable.java:111)
	at org.apache.directory.studio.connection.core.jobs.StudioConnectionJob.run(StudioConnectionJob.java:109)
	at org.eclipse.core.internal.jobs.Worker.run(Worker.java:54)
Caused by: javax.net.ssl.SSLKeyException: Server D-H key verification failed
	at sun.security.ssl.HandshakeMessage$DH_ServerKeyExchange.<init>(Unknown
Source)
	at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
	at sun.security.ssl.Handshaker.processLoop(Unknown Source)
	at sun.security.ssl.Handshaker.process_record(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
	at com.sun.jndi.ldap.ext.StartTlsResponseImpl.startHandshake(Unknown Source)
	at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(Unknown Source)
	at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper$6.run(JNDIConnectionWrapper.java:917)
	... 6 more


JRE 6 client log
Error while opening connection
 - Received fatal alert: handshake_failure
  javax.naming.NamingException: Received fatal alert:
handshake_failure [Root exception is
javax.net.ssl.SSLHandshakeException: Received fatal alert:
handshake_failure]
	at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper$6.run(JNDIConnectionWrapper.java:900)
	at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.runAndMonitor(JNDIConnectionWrapper.java:1272)
	at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.doConnect(JNDIConnectionWrapper.java:914)
	at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.connect(JNDIConnectionWrapper.java:209)
	at org.apache.directory.studio.connection.core.jobs.OpenConnectionsRunnable.run(OpenConnectionsRunnable.java:111)
	at org.apache.directory.studio.connection.core.jobs.StudioConnectionJob.run(StudioConnectionJob.java:114)
	at org.eclipse.core.internal.jobs.Worker.run(Worker.java:55)
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert:
handshake_failure
	at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
	at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1806)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:986)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1170)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1197)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1181)
	at com.sun.jndi.ldap.ext.StartTlsResponseImpl.startHandshake(StartTlsResponseImpl.java:344)
	at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:208)
	at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper$6.run(JNDIConnectionWrapper.java:891)
	... 6 more

JRE 6 server log
[12:01:21] WARN [org.apache.directory.server.ldap.LdapProtocolHandler]
- Unexpected exception forcing session to close: sending disconnect
notice to client.
javax.net.ssl.SSLHandshakeException: SSL handshake failed.
	at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:495)
	at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
	at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
	at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796)
	at org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:119)
	at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
	at org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:426)
	at org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:715)
	at org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:668)
	at org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:657)
	at org.apache.mina.core.polling.AbstractPollingIoProcessor.access$600(AbstractPollingIoProcessor.java:68)
	at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:1141)
	at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
	at java.lang.Thread.run(Thread.java:680)
Caused by: javax.net.ssl.SSLHandshakeException: bad handshake record MAC
	at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1467)
	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1435)
	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:937)
	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:845)
	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:721)
	at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:607)
	at org.apache.mina.filter.ssl.SslHandler.unwrap(SslHandler.java:725)
	at org.apache.mina.filter.ssl.SslHandler.unwrapHandshake(SslHandler.java:663)
	at org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:549)
	at org.apache.mina.filter.ssl.SslHandler.messageReceived(SslHandler.java:349)
	at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:476)
	... 15 more
[12:01:21] WARN [org.apache.directory.server.ldap.LdapProtocolHandler]
- Null LdapSession given to cleanUpSession.

JRE 7 server log
[12:02:39] WARN
[org.apache.directory.server.ldap.LdapProtocolHandler] - Unexpected
exception forcing session to close: sending disconnect notice to
client.
javax.net.ssl.SSLHandshakeException: SSL handshake failed.
	at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:495)
	at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
	at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:46)
	at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:796)
	at org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:119)
	at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:434)
	at org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:426)
	at org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:715)
	at org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:668)
	at org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:657)
	at org.apache.mina.core.polling.AbstractPollingIoProcessor.access$600(AbstractPollingIoProcessor.java:68)
	at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:1141)
	at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
	at sun.security.ssl.Alerts.getSSLException(Unknown Source)
	at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source)
	at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source)
	at sun.security.ssl.SSLEngineImpl.recvAlert(Unknown Source)
	at sun.security.ssl.SSLEngineImpl.readRecord(Unknown Source)
	at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source)
	at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source)
	at javax.net.ssl.SSLEngine.unwrap(Unknown Source)
	at org.apache.mina.filter.ssl.SslHandler.unwrap(SslHandler.java:725)
	at org.apache.mina.filter.ssl.SslHandler.unwrapHandshake(SslHandler.java:663)
	at org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:549)
	at org.apache.mina.filter.ssl.SslHandler.messageReceived(SslHandler.java:349)
	at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:476)
	... 15 more
[12:02:39] WARN [org.apache.directory.server.ldap.LdapProtocolHandler]
- Null LdapSession given to cleanUpSession.

-- 
Mat Gessel
http://www.asquare.net

Mime
View raw message