[
https://issues.apache.org/jira/browse/DIRSERVER-2318?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18058075#comment-18058075
]
Aurelien Tisné commented on DIRSERVER-2318:
-------------------------------------------
The same issue appears recently after upgrading to JDK 21.
I noticed that the issue disappears when I exclude the value {{TLS_RSA_*}} of
the {{jdk.tls.disabledAlgorithms}} property in the file
{{{}/etc/java-21-openjdk/security/java.security{}}}.
For your information, my LDAP communications are crypted by a Let's Encrypt
certificate.
> StartTLS and LDAPS are not working
> ----------------------------------
>
> Key: DIRSERVER-2318
> URL: https://issues.apache.org/jira/browse/DIRSERVER-2318
> Project: Directory ApacheDS
> Issue Type: Bug
> Components: ldap, security
> Affects Versions: 2.0.0-M24, 2.0.0.AM26
> Environment: Ubuntu 20.04 clean installation used for both client and
> server. Used version 2.0.0~M24-3 from Ubuntu repository and version
> 2.0.0.AM26 deb package from official website. Using openjdk-14-jre and
> openjdk-11-jre from Ubuntu repository. Apache Studio 2.0.0-M15 from website.
> Reporter: Karl Frauendienst
> Priority: Major
> Attachments: Apache_Studio_StartTLS.log
>
>
> Attempting to make a secure LDAP connection results in handshake failure with
> unknown error. No error with unencrypted connections. Tested on two
> separate systems.
> First setup: Ubuntu Server 20.04 with apacheds 2.0.0~M24-3 installed from
> repository. Tried both default-jre (openjdk-11-jre) and openjdk-14-jre.
> Running Apache Studio 2.0.0-M15 from official website on a separate Ubuntu
> Desktop 20.04 system and tested with same two jre versions. On this setup, I
> occasionally got an error stating the key was only 512 bits, so I used
> keytool according to the ApacheDS getting started guide to create and use a
> 2048 bit keypair. Following that I only get the handshake failure.
> Second setup: Ubuntu Desktop 20.04 running openjdk-14-jre with ApacheDS
> 2.0.0.AM26 deb pkg and Apache Studio 2.0.0-M15 from official website. This
> produces the handshake error. I believe the issue is server side because I
> can produce a similar handshake error using ldapsearch. It works fine
> unencrypted, but fails using either StartTLS on port 10389 or LDAPS on 10636.
> I did not replace the keypair in this setup. This setup occasionally will
> work with StartTLS and LDAPS but will seemingly work or not work
> intermittently with no configuration changes being made.
> I have tested with Apache Studio SSL verification both enabled and disabled
> in both cases.
> Errors produced include:
> !MESSAGE Improper close state: Status = OK HandshakeStatus = NEED_WRAP
> !MESSAGE The authentication failed
> - ERR_04120_TLS_HANDSHAKE_ERROR The TLS handshake failed, reason: Unspecified
> !MESSAGE
> org.apache.directory.api.ldap.model.exception.LdapTlsHandshakeException:
> ERR_04120_TLS_HANDSHAKE_ERROR The TLS handshake failed, reason: Unspecified
> !MESSAGE ERR_01200_BAD_TRANSITION_FROM_STATE Bad transition from state
> START_STATE, tag 0x15
> !MESSAGE org.apache.directory.api.ldap.codec.api.ResponseCarryingException:
> ERR_01200_BAD_TRANSITION_FROM_STATE Bad transition from state START_STATE,
> tag 0x15
> !MESSAGE Error while opening connection
> - PROTOCOL_ERROR: The server will disconnect!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
