directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Lee <jhn134...@gmail.com>
Subject Re: [ApacheDS] Cannot establish TLS connection between spring-ldap client and apacheds
Date Wed, 26 Jul 2017 16:57:41 GMT
Thanks for your support guys.

I was able to connect via LDAPS connection with Studio which presumably
uses the Apache LDAP API?
Under : DN:
ads-transportid=ldaps,ou=transports,ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=config
I have setting :

ads-enabledprotocols:TLSv1.2

I only just added this on Emmanuel's guidance, but I get the same problem.
The Java LDAPS client is using oracle JDK8 which defaults to using the
TLSv1.2 protocol.

Yeh I followed through some of the google links. I noticed some references
to similar problems happening more frequently with certain ciphers (
http://apache-ignite-users.70518.x6.nabble.com/Random-SSL-unsupported-record-version-td8406.html),
although in my case the connection always fails rather than fails randomly.

I see a question raised in March in archives (
http://mail-archives.apache.org/mod_mbox/directory-users/201703.mbox/browser
-  Problem with limiting ciphers for ldaps) about the possibility of
restricting the ciphers used, as I was going to try and use a different
cipher, maybe older less secure one just for test purposes to see if I get
the same problem. However, I don't think this cipher restriction is
supported in ApacheDS configuration?

That archived question also asks how the cipher list is arrived at and if
java.security specified providers are consulted to figure out the ciphers
that are supported by the installed java version. For example, in my case
Apache DS is running on openJdk 7 but my client is running on Oracle JDK 8.
I'll try upgrading to use Oracle JDK 8 on the host for apache DS and see if
it makes a difference.


On Wed, Jul 26, 2017 at 2:58 PM, Shawn McKinney <smckinney@apache.org>
wrote:

>
> > On Jul 26, 2017, at 3:19 AM, John Lee <jhn134910@gmail.com> wrote:
> >
> > I'm having a problem establishing a LDAPS connection between spring-ldap
> > client and apacheDS. Details are provided on stackoverflow, as this is
> the
> > official forum for spring-ldap and I assume the problem is client-side:
> >
> > https://stackoverflow.com/questions/45232244/cannot-
> establish-tls-connection-between-spring-ldap-client-and-apacheds
>
> Nice writeup on overflwo.  This error jumped out at me:
> Thread-8, handling exception: javax.net.ssl.SSLException: Unsupported
> record version Unknown-38.2
> %% Invalidated:  [Session-1, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
> Thread-8, SEND TLSv1.2 ALERT:  fatal, description = unexpected_message
>
> for which I googled:
> "javax.net.ssl.SSLException: Unsupported record version Unknown-38.2
> %% Invalidated”
>
> and found some hits.  Have you chased those down?
>
> The other thing you can try is connecting with the Apache LDAP API instead
> of spring ldap.  I am not suggesting that spring ldap’s apis are broken on
> TLS.  I’m saying that’s apacheds + its own ldap api are a combination that
> has been tested by us here and we’re going to have better support for you.
>
> There’s some doc about the api and crypto stuff here:
> http://directory.apache.org/api/user-guide/5.1-ldaps.html
>
> Oh and welcome to the list.  Good luck.
>
> Shawn

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message