directory-api mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <>
Subject Re: Unavailable Cipher Suites
Date Thu, 16 Nov 2017 17:23:30 GMT

Le 16/11/2017 à 16:54, Frank Crow a écrit :
> I'm using Apache Directory Studio (which I assume is using the Apache LDAP
> API) and having an issue connecting due to (apparently) "unavailable cipher
> suites" with OpenLDAP.
> I created a self-signed CA using OpenSSL command line tools and have
> verified that the certificate (and even client-side certs signed by it)
> work without problems using all of the OpenLDAP applications.   I've even
> successfully integrated it with Kerberos and SSSD with TLS/SSL.
> On some machines, the Apache Directory Studio works with my configuration
> no problem as well.   However, on Windows and certain other Linux machines,
> it fails with "SSL Handshake Error".
> I added "" and was able to determine that
> the cipher suite that I'm using (ECDHE-RSA-AES256-GCM-SHA385) is output as
> an "unavailable cipher suite".   It also looks like the only available
> cipher suites (listed later in the output) use AES128 or weaker algorithms.
> How can I get Apache Directory Studio to use updated cryptography libraries?
You most certainly have to install JCE, which offers AES 256 bit
scipher. It's not part of the standard JAVA JRE/SDK for US export policy

("If stronger algorithms are needed (for example, AES with 256-bit
keys), the JCE Unlimited Strength Jurisdiction Policy Files
must be obtained and installed in the JDK/JRE.", from
> Thanks,

Emmanuel Lecharny

View raw message