Discussion:
[Jxplorer-users] ldaps:// connection issue
Michael Hammer
2010-06-01 08:49:46 UTC
Permalink
Hi folks!

I have the following problem. I am using openldap-2.4.11 with TLS
enabled. I've a CaCert certificate and enabled it in the slapd.conf with

TLSCipherSuite TLS_RSA_AES_256_CBC_SHA1
TLSCertificateFile /etc/ssl/${FQDN}.crt
TLSCACertificatePath /etc/ssl/
TLSCertificateKeyFile /etc/ssl/private/${FQDN}.key
TLSVerifyClient never

and I am serving "ldaps://${FQDN}:636/".

Now I am able to connect and retrieve the ssl cert (where class3.crt is
the root cert from CaCert)

openssl s_client -connect ${FQDN} -showcerts -state -CAfile class3.crt
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=2 /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing
Authority/emailAddress=***@cacert.org
[...]
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID:
3AC41F487E5862C0010613C09A44ABE42C7F7BFE344CF35A4DA474B333490580
Session-ID-ctx:
Master-Key:
12A49AE0D9004A8B4FD6D4F247D6B7F6F8EFFBF71F592A99280738ECDA4816E0ACA220A03650DDB9C671BB353D578780
Key-Arg : None
Krb5 Principal: None
Start Time: 1275381418
Timeout : 300 (sec)
Verify return code: 0 (ok)
- ---

Looks very good to me. Next step is to use ldapsearch to connect to my
ldap server over ldaps://

ldapsearch -H ldaps://${FQDN}:636 -x -b "dc=${domain},dc=${end}" -D
"uid=${user},ou=people,dc=${domain},dc=${end}" -W

and retrieve the responce I am awaiting.

Now the problem in JXplorer. I am adding the Cacert root cert and even
the server crt itself to the cacerts keystore with your nice key
management gui. If I am now trying to connect to the server with the
following data:

Host: ${FQDN}
Port: 636
Protocol: LDAPv3
Base DN: dc=${domain},dc=${end}
Level: SSL + User + Password
User DN: uid=${user},ou=people,dc=derhammer,dc=net
Password: <SECRET_ONE>

I get the following error in the pop up:

Error opening connection:
simple bind failed: ${FQDN}:636

and this exception:

javax.naming.CommunicationException: simple bind failed: ${FQDN}:636
[Root exception is javax.net.ssl.SSLHandshakeException: Remote host
closed connection during handshake]

Ok - the SSL handshake does not work - but why? My guess is that there
is some difference between the ldaps:// (I open the connection per SSL)
and the ldap:// with StartTLS (I open an uncrypt connection and request
TLS). I am not an expert in all this SSL/TLS crap but I am running out
of ideas what I can change in my setup. I also think that most people
would configure their openldap server this way and therefor must have
the same problems - assumed that I don't make a conceptional misstake.

I'd really appreciate your help because I'd "love" to use the jxplorer
to browse and edit my ldap directory. (BTW: without SSL everything works
pretty well - but I can't do a simple bind without SSL for security
reasons!)

Greets, Michael

- --
- ----------------------------------------------------------------------
Michael Hammer
GPG-Key-ID: 0x1BA5F0DE
phone: +43 (0) 650 86 33 55 8
Graz - AUSTRIA
http://www.michael-hammer.at/
- ----------------------------------------------------------------------
Michael Hammer
2010-06-01 12:09:38 UTC
Permalink
Hi Chris!

Thx for the fast response.
you should be able to set logging on the java ssl connection, which
might tell us something (and is there anything in the server side logs?)
with "loglevel any" I get on the server side

slapd[9116]: conn=6 fd=23 ACCEPT from IP=x.x.x.x:41458 (IP=x.x.x.x:636)
slapd[9116]: connection_get(23)
slapd[9116]: connection_get(23): got connid=6
slapd[9116]: connection_read(23): checking for input on id=6
slapd[9116]: connection_read(23): TLS accept failure error=-1 id=6, closing
slapd[9116]: connection_closing: readying conn=6 sd=23 for close
slapd[9116]: connection_close: conn=6 sd=23
slapd[9116]: daemon: removing 23
slapd[9116]: conn=6 fd=23 closed (TLS negotiation failure)

which isn't very informative either ;)
hack the .bat / .sh file to include "-Djavax.net./debug/=/ssl"/ and
see if the handshake logs say anything sensible.
adding as trusted cert:
Subject: CN=Certificate Authority, O=MiniPKI, C=AU
Issuer: CN=Certificate Authority, O=MiniPKI, C=AU
Algorithm: RSA; Serial number: 0x0
Valid from Thu May 29 03:36:03 CEST 2003 until Tue May 27 03:36:03
CEST 2008

trigger seeding of SecureRandom
done seeding SecureRandom
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1275327584 bytes = { 28, 110, 23, 63, 103, 190, 236,
250, 247, 81, 5, 56, 135, 231, 130, 128, 95, 50, 182, 123, 50, 148, 96,
233, 13, 124, 231, 155 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA,
SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5,
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
***
Thread-3, WRITE: TLSv1 Handshake, length = 73
Thread-3, WRITE: SSLv2 client hello message, length = 98
Thread-3, received EOFException: error
Thread-3, handling exception: javax.net.ssl.SSLHandshakeException:
Remote host closed connection during handshake
Thread-3, SEND TLSv1 ALERT: fatal, description = handshake_failure
Thread-3, WRITE: TLSv1 Alert, length = 2
Thread-3, called closeSocket()
jndiBroker Thread, handling exception:
javax.net.ssl.SSLHandshakeException: Remote host closed connection
during handshake
Jun 1, 2010 1:52:00 PM com.ca.directory.jxplorer.broker.JNDIBroker
openConnection

With the help of this logfile I found the following thread:

http://serverfault.com/questions/138286/configuring-openldap-and-ssl

Then I edited my cipher line in slapd.conf. In the SSL debug output of
java a cipher suite "TLS_RSA_WITH_AES_128_CBC_SHA" is mentioned. If you
enter on the server side 'gnutls-cli -l' you should get a list of
supported cipher suites. The strange thing about it is, that there is no
cipher suite mentioned with the same name - but nearly the same. So I
changed the cipher suite to

# TLSCipherSuite TLS_RSA_AES_256_CBC_SHA1
TLSCipherSuite TLS_RSA_AES_128_CBC_SHA1

And KNOW I really got the info:

Thread-4, SEND TLSv1 ALERT: fatal, description = certificate_unknown
Thread-4, WRITE: TLSv1 Alert, length = 2
Thread-4, called closeSocket()
Thread-4, handling exception: javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateException: Invalid Server Certificate:
server certificate could not be verified, and the CA certificate is
missing from the certificate chain. raw error:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
jndiBroker Thread, handling exception:
javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateException: Invalid Server Certificate:
server certificate could not be verified, and the CA certificate is
missing from the certificate chain. raw error:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
Jun 1, 2010 1:56:44 PM com.ca.directory.jxplorer.broker.JNDIBroker
openConnection

YUHU! Know we had to add the cert and you want believe it - It worked!
Here the summarize for anybody who is running into similar issues:

- openldap in debian lenny is built against gnutls and not openssl. In
most tutorials it's suggested to set the cipher suite to
'TLS_RSA_AES_256_CBC_SHA1' inside slapd.conf. That's not supported in my
"Java(TM) SE Runtime Environment (build 1.6.0_20-b02)"
- Use the "-Djavax.net.debug=ssl" flag to debug the ssl session (thx
chris for that)

Thank once again for your hint!

Greets, Michael

- --
- ----------------------------------------------------------------------
Michael Hammer
GPG-Key-ID: 0x1BA5F0DE
phone: +43 (0) 650 86 33 55 8
Graz - AUSTRIA
http://www.michael-hammer.at/
- ----------------------------------------------------------------------
Continue reading on narkive:
Loading...