[ 
https://issues.apache.org/jira/browse/DIRSERVER-2223?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16372698#comment-16372698
 ] 

Martin Choma commented on DIRSERVER-2223:
-----------------------------------------

When I try to connect to ApacheDS with Apache Studio both sides negotiate 
TLS_DH_anon_WITH_AES_256_GCM_SHA384

{code}
*** ClientHello, TLSv1.2
RandomCookie:  random_bytes = {5A 8E 9A 86 71 3F 08 B8 2C BE AC 65 21 30 3D 87 
1B F9 DF 5A 68 B9 1D 14 FE 3F 09 2F 87 D7 E1 4A}
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, 
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, 
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, 
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, 
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 
TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, 
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, 
TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, 
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, 
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, 
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, 
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 
TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, 
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, 
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 
TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, 
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, 
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, 
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, 
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, 
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, 
TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_DH_anon_WITH_AES_256_GCM_SHA384, 
TLS_DH_anon_WITH_AES_128_GCM_SHA256, TLS_DH_anon_WITH_AES_256_CBC_SHA256, 
TLS_ECDH_anon_WITH_AES_256_CBC_SHA, TLS_DH_anon_WITH_AES_256_CBC_SHA, 
TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_ECDH_anon_WITH_AES_128_CBC_SHA, 
TLS_DH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, 
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, 
SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, 
SSL_DH_anon_WITH_DES_CBC_SHA, TLS_RSA_WITH_NULL_SHA256, 
TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, 
SSL_RSA_WITH_NULL_SHA, TLS_ECDH_ECDSA_WITH_NULL_SHA, 
TLS_ECDH_RSA_WITH_NULL_SHA, TLS_ECDH_anon_WITH_NULL_SHA, SSL_RSA_WITH_NULL_MD5, 
TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, 
TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, 
sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, 
SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, 
SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, 
SHA1withRSA, SHA1withDSA
Unsupported extension type_23, data: 
{code}

> JDK 9 ldaps does not work
> -------------------------
>
>                 Key: DIRSERVER-2223
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-2223
>             Project: Directory ApacheDS
>          Issue Type: Bug
>    Affects Versions: 2.0.0-M24
>            Reporter: Martin Choma
>            Priority: Major
>
> I have migrated from JDK 8 to JDK 9. I started to get {noformat}no cipher 
> suites in common{noformat}.
> I am using org.apache.directory.api as a client connecting to ApacheDS 
> ldaps://localhost:10636 url.
> I get
> {code}
> *** ClientHello, TLSv1.2
> RandomCookie:  random_bytes = {FD 5B C5 87 7A 4B 58 AC BB BB 1D 62 6C BB DF 
> CC 12 8F F3 3D 0B 57 EA B5 AC AA 7C E0 94 C6 98 EE}
> Session ID:  {}
> Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 
> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, 
> TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, 
> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, 
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, 
> TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, 
> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, 
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, 
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, 
> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, 
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, 
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 
> TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, 
> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, 
> TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, 
> TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, 
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, 
> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 
> TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, 
> TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 
> TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, 
> TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, 
> TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, 
> SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, 
> TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
> Compression Methods:  { 0 }
> Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, 
> sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
> Extension ec_point_formats, formats: [uncompressed]
> Extension signature_algorithms, signature_algorithms: SHA512withECDSA, 
> SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, 
> SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, 
> SHA1withECDSA, SHA1withRSA, SHA1withDSA
> Extension status_request_v2
> CertStatusReqItemV2: ocsp_multi, OCSPStatusRequest
>     ResponderIds: <EMPTY>
>     Extensions: <EMPTY>
> CertStatusReqItemV2: ocsp, OCSPStatusRequest
>     ResponderIds: <EMPTY>
>     Extensions: <EMPTY>
> Extension status_request: ocsp, OCSPStatusRequest
>     ResponderIds: <EMPTY>
>     Extensions: <EMPTY>
> ***
> %% Initialized:  [Session-4, SSL_NULL_WITH_NULL_NULL]
> NioProcessor-6, fatal error: 40: no cipher suites in common
> javax.net.ssl.SSLHandshakeException: no cipher suites in common
> %% Invalidated:  [Session-4, SSL_NULL_WITH_NULL_NULL]
> NioProcessor-6, fatal: engine already closed.  Rethrowing 
> javax.net.ssl.SSLHandshakeException: no cipher suites in common
> 10:48:16,382 WARN  [org.apache.directory.server.ldap.LdapProtocolHandler] 
> (NioProcessor-6) Unexpected exception forcing session to close: sending 
> disconnect notice to client.: javax.net.ssl.SSLHandshakeException: SSL 
> handshake failed.
>       at 
> org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:519)
> {code}
> Once I specify on client side
> {code}
> tlsConfig.setEnabledCipherSuites(new String[] { 
> "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
>                 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", 
> "TLS_RSA_WITH_AES_256_CBC_SHA256",
>                 "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384", 
> "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
>                 "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", 
> "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
>                 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", 
> "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
>                 "TLS_RSA_WITH_AES_256_CBC_SHA", 
> "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
>                 "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA", 
> "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
>                 "TLS_DHE_DSS_WITH_AES_256_CBC_SHA", 
> "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
>                 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", 
> "TLS_RSA_WITH_AES_128_CBC_SHA256",
>                 "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256", 
> "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
>                 "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", 
> "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
>                 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", 
> "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
>                 "TLS_RSA_WITH_AES_128_CBC_SHA", 
> "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
>                 "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA", 
> "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
>                 "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", 
> "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
>                 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", 
> "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
>                 "TLS_RSA_WITH_AES_256_GCM_SHA384", 
> "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
>                 "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384", 
> "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
>                 "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384", 
> "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
>                 "TLS_RSA_WITH_AES_128_GCM_SHA256", 
> "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
>                 "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256", 
> "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
>                 "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", 
> "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
>                 "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", 
> "SSL_RSA_WITH_3DES_EDE_CBC_SHA",
>                 "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA", 
> "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
>                 "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA", 
> "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
>                 "TLS_EMPTY_RENEGOTIATION_INFO_SCSV", 
> "TLS_DH_anon_WITH_AES_256_GCM_SHA384",
>                 "TLS_DH_anon_WITH_AES_128_GCM_SHA256", 
> "TLS_DH_anon_WITH_AES_256_CBC_SHA256",
>                 "TLS_ECDH_anon_WITH_AES_256_CBC_SHA", 
> "TLS_DH_anon_WITH_AES_256_CBC_SHA",
>                 "TLS_DH_anon_WITH_AES_128_CBC_SHA256", 
> "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
>                 "TLS_DH_anon_WITH_AES_128_CBC_SHA", 
> "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
>                 "SSL_DH_anon_WITH_3DES_EDE_CBC_SHA", 
> "SSL_RSA_WITH_DES_CBC_SHA", "SSL_DHE_RSA_WITH_DES_CBC_SHA",
>                 "SSL_DHE_DSS_WITH_DES_CBC_SHA", 
> "SSL_DH_anon_WITH_DES_CBC_SHA", "TLS_RSA_WITH_NULL_SHA256",
>                 "TLS_ECDHE_ECDSA_WITH_NULL_SHA", 
> "TLS_ECDHE_RSA_WITH_NULL_SHA", "SSL_RSA_WITH_NULL_SHA",
>                 "TLS_ECDH_ECDSA_WITH_NULL_SHA", "TLS_ECDH_RSA_WITH_NULL_SHA", 
> "TLS_ECDH_anon_WITH_NULL_SHA",
>                 "SSL_RSA_WITH_NULL_MD5", "TLS_KRB5_WITH_3DES_EDE_CBC_SHA", 
> "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
>                 "TLS_KRB5_WITH_DES_CBC_SHA", "TLS_KRB5_WITH_DES_CBC_MD5" });
> {code}
> Both nodes can agree on TLS_DH_anon_WITH_AES_256_GCM_SHA384.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to