[
https://issues.apache.org/jira/browse/DIRSERVER-2318?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17144962#comment-17144962
]
Karl Frauendienst commented on DIRSERVER-2318:
----------------------------------------------
I listed above several configurations that I have tried, but you can reproduce
the issue like this:
# Install Ubuntu Desktop 20.04 (using VMware ESXi virtual machine with static
IP)
# Install updates and restart
# apt install openjdk-14-jre
# Install
[apacheds-2.0.0.AM26-amd64.deb|https://mirror.olnevhost.net/pub/apache//directory/apacheds/dist/2.0.0.AM26/apacheds-2.0.0.AM26-amd64.deb]
# Unpack
[ApacheDirectoryStudio-2.0.0.v20200411-M15-linux.gtk.x86_64.tar.gz|http://apache.spinellicreations.com/directory/studio/2.0.0.v20200411-M15/ApacheDirectoryStudio-2.0.0.v20200411-M15-linux.gtk.x86_64.tar.gz]
# systemctl start apacheds
Opening the server configuration shows that LDAPS is already enabled by default.
Unencrypted connection to 10389 works fine. StartTLS connection to 10389 and
LDAPS connection to 10636 frequently have handshake errors but will
occasionally work. I have connected with Apache Studio, ldapsearch, and
Nextcloud, and had the same result with all three.
> StartTLS and LDAPS are not working
> ----------------------------------
>
> Key: DIRSERVER-2318
> URL: https://issues.apache.org/jira/browse/DIRSERVER-2318
> Project: Directory ApacheDS
> Issue Type: Bug
> Components: ldap, security
> Affects Versions: 2.0.0-M24, 2.0.0.AM26
> Environment: Ubuntu 20.04 clean installation used for both client and
> server. Used version 2.0.0~M24-3 from Ubuntu repository and version
> 2.0.0.AM26 deb package from official website. Using openjdk-14-jre and
> openjdk-11-jre from Ubuntu repository. Apache Studio 2.0.0-M15 from website.
> Reporter: Karl Frauendienst
> Priority: Major
> Attachments: Apache_Studio_StartTLS.log
>
>
> Attempting to make a secure LDAP connection results in handshake failure with
> unknown error. No error with unencrypted connections. Tested on two
> separate systems.
> First setup: Ubuntu Server 20.04 with apacheds 2.0.0~M24-3 installed from
> repository. Tried both default-jre (openjdk-11-jre) and openjdk-14-jre.
> Running Apache Studio 2.0.0-M15 from official website on a separate Ubuntu
> Desktop 20.04 system and tested with same two jre versions. On this setup, I
> occasionally got an error stating the key was only 512 bits, so I used
> keytool according to the ApacheDS getting started guide to create and use a
> 2048 bit keypair. Following that I only get the handshake failure.
> Second setup: Ubuntu Desktop 20.04 running openjdk-14-jre with ApacheDS
> 2.0.0.AM26 deb pkg and Apache Studio 2.0.0-M15 from official website. This
> produces the handshake error. I believe the issue is server side because I
> can produce a similar handshake error using ldapsearch. It works fine
> unencrypted, but fails using either StartTLS on port 10389 or LDAPS on 10636.
> I did not replace the keypair in this setup. This setup occasionally will
> work with StartTLS and LDAPS but will seemingly work or not work
> intermittently with no configuration changes being made.
> I have tested with Apache Studio SSL verification both enabled and disabled
> in both cases.
> Errors produced include:
> !MESSAGE Improper close state: Status = OK HandshakeStatus = NEED_WRAP
> !MESSAGE The authentication failed
> - ERR_04120_TLS_HANDSHAKE_ERROR The TLS handshake failed, reason: Unspecified
> !MESSAGE
> org.apache.directory.api.ldap.model.exception.LdapTlsHandshakeException:
> ERR_04120_TLS_HANDSHAKE_ERROR The TLS handshake failed, reason: Unspecified
> !MESSAGE ERR_01200_BAD_TRANSITION_FROM_STATE Bad transition from state
> START_STATE, tag 0x15
> !MESSAGE org.apache.directory.api.ldap.codec.api.ResponseCarryingException:
> ERR_01200_BAD_TRANSITION_FROM_STATE Bad transition from state START_STATE,
> tag 0x15
> !MESSAGE Error while opening connection
> - PROTOCOL_ERROR: The server will disconnect!
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
