directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <elecha...@gmail.com>
Subject Re: [ApacheDS] Cannot establish TLS connection between spring-ldap client and apacheds
Date Wed, 26 Jul 2017 19:19:05 GMT


Le 26/07/2017 à 18:57, John Lee a écrit :
> Thanks for your support guys.
>
> I was able to connect via LDAPS connection with Studio which presumably
> uses the Apache LDAP API?
Yes.

> Under : DN:
> ads-transportid=ldaps,ou=transports,ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=config
> I have setting :
>
> ads-enabledprotocols:TLSv1.2

Which is ok.
>
> I only just added this on Emmanuel's guidance, but I get the same problem.
> The Java LDAPS client is using oracle JDK8 which defaults to using the
> TLSv1.2 protocol.
>
> Yeh I followed through some of the google links. I noticed some references
> to similar problems happening more frequently with certain ciphers (
> http://apache-ignite-users.70518.x6.nabble.com/Random-SSL-unsupported-record-version-td8406.html),
> although in my case the connection always fails rather than fails randomly.
>
> I see a question raised in March in archives (
> http://mail-archives.apache.org/mod_mbox/directory-users/201703.mbox/browser
> -  Problem with limiting ciphers for ldaps) about the possibility of
> restricting the ciphers used, as I was going to try and use a different
> cipher, maybe older less secure one just for test purposes to see if I get
> the same problem. However, I don't think this cipher restriction is
> supported in ApacheDS configuration?
>
> That archived question also asks how the cipher list is arrived at and if
> java.security specified providers are consulted to figure out the ciphers
> that are supported by the installed java version. For example, in my case
> Apache DS is running on openJdk 7 but my client is running on Oracle JDK 8.
> I'll try upgrading to use Oracle JDK 8 on the host for apache DS and see if
> it makes a difference.

Yes, try to run ApacheDS with Java 7.

I was a bit quick in my previous answer, btw. Clearly, the ClientHello
and ServerHello exchanges have been done properly, with

||TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384| being selected, and TLSv1.2
being used. Be sure that the server uses Java with the ||Unlimited Strength Jurisdiction Policy
Files
(http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html).|


-- 
Emmanuel Lecharny

Symas.com
directory.apache.org


Mime
View raw message