On Tue, Mar 18, 2014 at 10:53 PM, Flavio Mattos <[email protected]>wrote:
> here it is.. it was attached with the last email as well... > > attachments get stripped by ASF mailer > Thanks > > 513 [NioProcessor-1] WARN > org.apache.directory.ldap.client.api.LdapNetworkConnection - SSL handshake > failed. > javax.net.ssl.SSLHandshakeException: SSL handshake failed. > at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:487) > at > > org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417) > at > > org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47) > at > > org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:765) > at > > org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:109) > at > > org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417) > at > > org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:410) > at > > org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:710) > at > > org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:664) > at > > org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPollingIoProcessor.java:653) > at > > org.apache.mina.core.polling.AbstractPollingIoProcessor.access$600(AbstractPollingIoProcessor.java:67) > at > > org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:1124) > at > > org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64) > at > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:724) > Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem > at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1362) > at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513) > at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1177) > at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1149) > at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469) > at org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:578) > at > org.apache.mina.filter.ssl.SslHandler.messageReceived(SslHandler.java:351) > at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:468) > ... 15 more > Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) > at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1683) > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:278) > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270) > at > > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341) > at > sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153) > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868) > at sun.security.ssl.Handshaker$1.run(Handshaker.java:808) > at sun.security.ssl.Handshaker$1.run(Handshaker.java:806) > at java.security.AccessController.doPrivileged(Native Method) > at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1299) > at org.apache.mina.filter.ssl.SslHandler.doTasks(SslHandler.java:759) > at org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:544) > ... 17 more > Caused by: sun.security.validator.ValidatorException: PKIX path building > failed: sun.security.provider.certpath.SunCertPathBuilderException: unable > to find valid certification path to requested target > this is happening due to the default TrustManager set by default in LdapConnectionConfig > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385) > at > sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) > at sun.security.validator.Validator.validate(Validator.java:260) > at > > sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326) > at > > sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:283) > at > > sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:138) > at > > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1328) > ... 25 more > Caused by: sun.security.provider.certpath.SunCertPathBuilderException: > unable to find valid certification path to requested target > at > > sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196) > at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) > ... 31 more > 714 [main] ERROR org.apache.directory.ldap.client.api.LdapNetworkConnection > - Message failed : something wrong has occurred > org.apache.directory.ldap.client.api.exception.InvalidConnectionException: > SSL handshake failed. > at > > org.apache.directory.ldap.client.api.LdapNetworkConnection.writeRequest(LdapNetworkConnection.java:3939) > at > > org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1178) > at > > org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1076) > at > > org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:934) > at com.hyperwallet.ldap.connection.SandBox.main(SandBox.java:57) > > > > > On Tue, Mar 18, 2014 at 10:21 AM, Kiran Ayyagari <[email protected] > >wrote: > > > On Tue, Mar 18, 2014 at 10:44 PM, Flavio Mattos < > [email protected] > > >wrote: > > > > > Hi Kiran.. thank you for replying my message... > > > > > > I tried to do what you suggested and it did not work. I have attached > the > > > stack trace.. it keeps giving me LdapNetworkConnection - SSL handshake > > > failed. > > > > > please post the stacktrace as well > > > > > > > > public static void initConnection() throws LdapException, IOException { > > > if (conn == null) { > > > LdapConnectionConfig connectionConfig = new > > > LdapConnectionConfig(); > > > connectionConfig.setLdapHost("myhost"); > > > connectionConfig.setLdapPort(636); > > > connectionConfig.setName("cn=Manager,dc=example,dc=com"); > > > connectionConfig.setCredentials("mypass"); > > > connectionConfig.setUseSsl(true); > > > connectionConfig.setSslProtocol("SSLv3"); > add the below line here connectionConfig.setTrustManagers(new NoVerificationTrustManager()); // add the appropriate import > > > conn = new LdapNetworkConnection(connectionConfig); > > > > > > conn.connect(); > > > conn.bind(); > > > > > > } > > > } > > > > > > I also tried the following code using tls and trustmanagers but this > time > > > it gives me a Protocol error > > > > the same fix(mentioned above) will work here, and also for TLS you _should_ use the non-SSL port > > > org.apache.directory.api.ldap.model.exception.LdapOperationException: > > > PROTOCOL_ERROR: The server will disconnect! > > > at > > > > > > org.apache.directory.ldap.client.api.LdapNetworkConnection.startTls(LdapNetworkConnection.java:3678) > > > > > > public static void initConnection() throws LdapException, IOException { > > > > > > > > > if (conn == null) { > > > LdapConnectionConfig connectionConfig = new > > > LdapConnectionConfig(); > > > > > > try { > > > > > > FileInputStream fis = new > FileInputStream("server.jks"); > > > > > > TrustManagerFactory tmf = > > > > > > TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); > > > > > > KeyStore keyStore = > > > KeyStore.getInstance(KeyStore.getDefaultType()); > > > > > > char[] password = new > String("myCertPass").toCharArray(); > > > > > > keyStore.load(fis, password); > > > > > > tmf.init(keyStore); > > > > > > > > connectionConfig.setTrustManagers(tmf.getTrustManagers()); > > > > > > } catch (NoSuchAlgorithmException ex) { > > > ex.printStackTrace(System.out); > > > } catch (KeyStoreException ex) { > > > ex.printStackTrace(System.out); > > > } catch (CertificateException ex) { > > > ex.printStackTrace(System.out); > > > } > > > > > > connectionConfig.setLdapHost("myhost"); > > > connectionConfig.setLdapPort(636); > > > connectionConfig.setName("cn=Manager,dc=example,dc=com"); > > > connectionConfig.setCredentials("mypass"); > > > connectionConfig.setSslProtocol("SSLv3"); > > > connectionConfig.setUseTls(true); > > > conn = new LdapNetworkConnection(connectionConfig); > > > conn.connect(); > > > conn.startTls(); > > > > > > } > > > > > > } > > > > > > > > > Thanks in advance > > > > > > Flavio > > > > > > > > > On Mon, Mar 17, 2014 at 7:33 PM, Kiran Ayyagari <[email protected] > > >wrote: > > > > > >> On Tue, Mar 18, 2014 at 6:36 AM, Flavio Mattos < > > [email protected] > > >> >wrote: > > >> > > >> > Hi guys.. > > >> > > > >> > I have been trying to connect to an open ldap server using ssl/ldaps > > >> > I can connect to that server using apache studio(via ldaps) and I > > would > > >> > like to connect to the same server using the apache api. > > >> > > > >> > This is the code... One detail is that I generated the key in the > > server > > >> > using openssl > > >> > > > >> > > > >> > Then I have done some research and some people say that I need to > > >> generate > > >> > a key in the java pattern.. so then I generated a PKCS #12 key > store > > >> using > > >> > something like > > >> > > > >> > you don't need to do this unless you want your client to be verified > > >> with > > >> the server > > >> > > >> > openssl pkcs12 -export -in cert.pem -inkey key.pem > server.p12 > > >> > and then > > >> > keytool -importkeystore -srckeystore server.p12 -destkeystore > > server.jks > > >> > -srcstoretype pkcs12 > > >> > > > >> > > > >> > I have attached the stacktrace.. > > >> > The exception happens in the bind method > > >> > > > >> > public static void initConnection() throws LdapException, > IOException > > { > > >> > > > >> > LdapConnection conn ... > > >> > > > >> > if (conn == null) { > > >> > LdapConnectionConfig connectionConfig = new > > >> > LdapConnectionConfig(); > > >> > KeyManagerFactory keyManagerFactory = null; > > >> > try { > > >> > > > >> > FileInputStream fis = new > > FileInputStream("server.jks"); > > >> > > > >> > > > >> > keyManagerFactory = > > >> > KeyManagerFactory.getInstance("SunX509"); > > >> > KeyStore keyStore = > > >> > KeyStore.getInstance(KeyStore.getDefaultType()); > > >> > char[] password = new > > String("mykeyPass").toCharArray(); > > >> > > > >> > keyStore.load(fis, password); > > >> > > > >> > keyManagerFactory.init(keyStore, password); > > >> > > > >> > keyManagerFactory.getKeyManagers(); > > >> > > > >> > connectionConfig.setKeyManagers(keyManagerFactory.getKeyManagers()); > > >> > > > >> > } catch (NoSuchAlgorithmException ex) { > > >> > ex.printStackTrace(System.out); > > >> > } catch (KeyStoreException ex) { > > >> > ex.printStackTrace(System.out); > > >> > } catch (UnrecoverableKeyException ex) { > > >> > ex.printStackTrace(System.out); > > >> > } catch (CertificateException ex) { > > >> > ex.printStackTrace(System.out); > > >> > } > > >> > > > >> > > > >> just drop all the above KeyManager code and the client will work. > > >> > > >> > connectionConfig.setLdapHost("myhost"); > > >> > connectionConfig.setLdapPort(636); > > >> > > connectionConfig.setName("cn=Manager,dc=example,dc=com"); > > >> > connectionConfig.setCredentials("mypass"); > > >> > connectionConfig.setUseSsl(true); > > >> > connectionConfig.setSslProtocol("SSLv3"); > > >> > conn = new LdapNetworkConnection(connectionConfig); > > >> > > > >> > conn.connect(); > > >> > conn.bind(); > > >> > > > >> > } > > >> > > > >> > note that by default the client will trust any X509 certificate used > > by > > >> the server, if you want > > >> to restrict it then a custom trust manager must be provided and set > > using > > >> connectionConfig.setTrustManagers() > > >> > > >> > Thanks > > >> > Flavio > > >> > > > >> > > >> > > >> > > >> -- > > >> Kiran Ayyagari > > >> http://keydap.com > > >> > > > > > > > > > > > > -- > > Kiran Ayyagari > > http://keydap.com > > > -- Kiran Ayyagari http://keydap.com
