directory-api mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lucas Theisen <lucasthei...@pastdev.com>
Subject Re: Can't connect with TLS/SSL
Date Wed, 06 Apr 2016 21:49:26 GMT
If you don't explicitly set the trust store, it will default to the trust
store for the JRE.  Trust manager is something that uses trust stores.  For
example, you could set a trust manager that completely ignores trust stores
(sometimes used by applications that don't really care about security...).
Anyway, you need to ensure your cert is installed in your trust store.  For
details on that you should look for keytool (which should come with the
JRE, or possibly JDK).
On Apr 6, 2016 5:38 PM, "Frank Crow" <fjcrow2008@gmail.com> wrote:

> I think that we did.   We have a cacert.pem that is used by all the command
> line tools for that purpose.    I think our problem is in the
> keystore/keymanager but I'm new to that part of Java so I'm having some
> difficulty verifying that it was done correctly.   I'm saying "we" here
> because this code has been worked on by various members of the team over
> time (BTW).
>
> So just to narrow down what to look at... if we have the cacert properly in
> the keystore then the Apache LDAP API will find it on it's own correct?
>
> On the LdapConnectionConfig we're setting setUseTls().   Do we also need to
> setTrustManagers() as well?
>
>
> Thanks,
> Frank
>
>
> On Wed, Apr 6, 2016 at 5:23 PM, Lucas Theisen <lucastheisen@pastdev.com>
> wrote:
>
> > Did you ensure that your Java trust store contains the certificate
> > authority that signed your server certificate?
> > On Apr 6, 2016 5:15 PM, "Frank Crow" <fjcrow2008@gmail.com> wrote:
> >
> > > Can anyone help me figure out how to debug this?   I have an OpenLDAP
> > > server on the backend and everything else (i.e., command line tools or
> > C++
> > > code) can connect to it with simple binds and TLS but our application
> > with
> > > the Apache LDAP API cannot.
> > >
> > > It always gives us "SSL Handshake failed" and this stack dump:
> > >
> > > 2016-04-06 21:05:41,145 ERROR unable to bind connection: SSL handshake
> > > > failed.
> > > > 2016-04-06 21:05:41,145 DEBUG unable to bind connection:
> > > >
> > >
> >
> org.apache.directory.ldap.client.api.exception.InvalidConnectionException:
> > > > SSL handshake failed.
> > > > at
> > > >
> > >
> >
> org.apache.directory.ldap.client.api.LdapNetworkConnection.writeRequest(LdapNetworkConnection.java:4005)
> > > > at
> > > >
> > >
> >
> org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1218)
> > > > at
> > > >
> > >
> >
> org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1116)
> > > > at
> > > >
> > >
> >
> org.apache.directory.ldap.client.api.AbstractLdapConnection.bind(AbstractLdapConnection.java:127)
> > > > at
> > > >
> > >
> >
> org.apache.directory.ldap.client.api.AbstractLdapConnection.bind(AbstractLdapConnection.java:112)
> > > > at
> > > >
> > >
> >
> org.apache.directory.ldap.client.api.DefaultLdapConnectionFactory.bindConnection(DefaultLdapConnectionFactory.java:64)
> > > > at
> > > >
> > >
> >
> org.apache.directory.ldap.client.api.DefaultLdapConnectionFactory.newLdapConnection(DefaultLdapConnectionFactory.java:107)
> > > > at
> > > >
> > >
> >
> org.apache.directory.ldap.client.api.ValidatingPoolableLdapConnectionFactory.makeObject(ValidatingPoolableLdapConnectionFactory.java:129)
> > > > at
> > > >
> > >
> >
> org.apache.directory.ldap.client.api.ValidatingPoolableLdapConnectionFactory.makeObject(ValidatingPoolableLdapConnectionFactory.java:44)
> > > > at
> > > >
> > >
> >
> org.apache.commons.pool.impl.GenericObjectPool.borrowObject(GenericObjectPool.java:1188)
> > > > at
> > > >
> > >
> >
> org.apache.directory.ldap.client.api.LdapConnectionPool.getConnection(LdapConnectionPool.java:123)
> > > > at
> > > >
> > >
> >
> org.apache.directory.ldap.client.template.LdapConnectionTemplate.search(LdapConnectionTemplate.java:666)
> > > > at
> > > >
> > >
> >
> org.apache.directory.ldap.client.template.LdapConnectionTemplate.searchFirst(LdapConnectionTemplate.java:607)
> > > > at
> > > >
> > >
> >
> org.apache.directory.ldap.client.template.LdapConnectionTemplate.searchFirst(LdapConnectionTemplate.java:581)
> > > > at
> > > >
> > csa.ums.ldap.wrapper.LdapWrapper$LdapConnectionMonitorWorker.run(Unknown
> > > > Source)
> > > > at
> > > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
> > > > at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308)
> > > > at
> > > >
> > >
> >
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180)
> > > > at
> > > >
> > >
> >
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294)
> > > > at
> > > >
> > >
> >
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> > > > at
> > > >
> > >
> >
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> > > > at java.lang.Thread.run(Thread.java:745)
> > > > 2016-04-06 21:05:41,146 WARN  [LDAP Service Interruption] Connection
> to
> > > > the LDAP server a22a1a19 failed:
> > > >
> > >
> >
> org.apache.directory.ldap.client.api.exception.InvalidConnectionException:
> > > > SSL handshake failed.
> > > > 2016-04-06 21:05:41,146 INFO  [LDAP Service Interruption] Switching
> to
> > > > server localhost
> > > > 2016-04-06 21:05:41,148 DEBUG found X509TrustManager
> > > > sun.security.ssl.X509TrustManagerImpl@32eabe1d
> > > > 2016-04-06 21:05:41,148 DEBUG creating new connection template from
> > > > connectionPool
> > >
> > >
> > > I can provide a clip of the code if necessary but I was hoping on
> methods
> > > of debugging this ourselves.
> > >
> > >
> > > Thanks,
> > > --
> > > Frank
> > >
> >
>
>
>
> --
> Frank
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message