directory-api mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <elecha...@gmail.com>
Subject Re: Unavailable Cipher Suites
Date Thu, 16 Nov 2017 17:23:30 GMT


Le 16/11/2017 à 16:54, Frank Crow a écrit :
> I'm using Apache Directory Studio (which I assume is using the Apache LDAP
> API) and having an issue connecting due to (apparently) "unavailable cipher
> suites" with OpenLDAP.
>
> I created a self-signed CA using OpenSSL command line tools and have
> verified that the certificate (and even client-side certs signed by it)
> work without problems using all of the OpenLDAP applications.   I've even
> successfully integrated it with Kerberos and SSSD with TLS/SSL.
>
> On some machines, the Apache Directory Studio works with my configuration
> no problem as well.   However, on Windows and certain other Linux machines,
> it fails with "SSL Handshake Error".
>
> I added "-Djavax.net.debug=ssl:handshake" and was able to determine that
> the cipher suite that I'm using (ECDHE-RSA-AES256-GCM-SHA385) is output as
> an "unavailable cipher suite".   It also looks like the only available
> cipher suites (listed later in the output) use AES128 or weaker algorithms.
>
> How can I get Apache Directory Studio to use updated cryptography libraries?
You most certainly have to install JCE, which offers AES 256 bit
scipher. It's not part of the standard JAVA JRE/SDK for US export policy
reasons.

("If stronger algorithms are needed (for example, AES with 256-bit
keys), the JCE Unlimited Strength Jurisdiction Policy Files
<http://www.oracle.com/technetwork/java/javase/downloads/index.html>
must be obtained and installed in the JDK/JRE.", from
https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html
>
>
> Thanks,

-- 
Emmanuel Lecharny

Symas.com
directory.apache.org


Mime
View raw message