-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Chris!
Thx for the fast response.
On 06/01/2010 01:35 PM, Chris Betts wrote:
> you should be able to set logging on the java ssl connection, which
> might tell us something (and is there anything in the server side logs?)
with "loglevel any" I get on the server side
slapd[9116]: conn=6 fd=23 ACCEPT from IP=x.x.x.x:41458 (IP=x.x.x.x:636)
slapd[9116]: connection_get(23)
slapd[9116]: connection_get(23): got connid=6
slapd[9116]: connection_read(23): checking for input on id=6
slapd[9116]: connection_read(23): TLS accept failure error=-1 id=6, closing
slapd[9116]: connection_closing: readying conn=6 sd=23 for close
slapd[9116]: connection_close: conn=6 sd=23
slapd[9116]: daemon: removing 23
slapd[9116]: conn=6 fd=23 closed (TLS negotiation failure)
which isn't very informative either ;)
> hack the .bat / .sh file to include "-Djavax.net./debug/=/ssl"/ and
> see if the handshake logs say anything sensible.
adding as trusted cert:
Subject: CN=Certificate Authority, O=MiniPKI, C=AU
Issuer: CN=Certificate Authority, O=MiniPKI, C=AU
Algorithm: RSA; Serial number: 0x0
Valid from Thu May 29 03:36:03 CEST 2003 until Tue May 27 03:36:03
CEST 2008
trigger seeding of SecureRandom
done seeding SecureRandom
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1275327584 bytes = { 28, 110, 23, 63, 103, 190, 236,
250, 247, 81, 5, 56, 135, 231, 130, 128, 95, 50, 182, 123, 50, 148, 96,
233, 13, 124, 231, 155 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA,
SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5,
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
***
Thread-3, WRITE: TLSv1 Handshake, length = 73
Thread-3, WRITE: SSLv2 client hello message, length = 98
Thread-3, received EOFException: error
Thread-3, handling exception: javax.net.ssl.SSLHandshakeException:
Remote host closed connection during handshake
Thread-3, SEND TLSv1 ALERT: fatal, description = handshake_failure
Thread-3, WRITE: TLSv1 Alert, length = 2
Thread-3, called closeSocket()
jndiBroker Thread, handling exception:
javax.net.ssl.SSLHandshakeException: Remote host closed connection
during handshake
Jun 1, 2010 1:52:00 PM com.ca.directory.jxplorer.broker.JNDIBroker
openConnection
With the help of this logfile I found the following thread:
http://serverfault.com/questions/138286/configuring-openldap-and-ssl
Then I edited my cipher line in slapd.conf. In the SSL debug output of
java a cipher suite "TLS_RSA_WITH_AES_128_CBC_SHA" is mentioned. If you
enter on the server side 'gnutls-cli -l' you should get a list of
supported cipher suites. The strange thing about it is, that there is no
cipher suite mentioned with the same name - but nearly the same. So I
changed the cipher suite to
# TLSCipherSuite TLS_RSA_AES_256_CBC_SHA1
TLSCipherSuite TLS_RSA_AES_128_CBC_SHA1
And KNOW I really got the info:
Thread-4, SEND TLSv1 ALERT: fatal, description = certificate_unknown
Thread-4, WRITE: TLSv1 Alert, length = 2
Thread-4, called closeSocket()
Thread-4, handling exception: javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateException: Invalid Server Certificate:
server certificate could not be verified, and the CA certificate is
missing from the certificate chain. raw error:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
jndiBroker Thread, handling exception:
javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateException: Invalid Server Certificate:
server certificate could not be verified, and the CA certificate is
missing from the certificate chain. raw error:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
Jun 1, 2010 1:56:44 PM com.ca.directory.jxplorer.broker.JNDIBroker
openConnection
YUHU! Know we had to add the cert and you want believe it - It worked!
Here the summarize for anybody who is running into similar issues:
- openldap in debian lenny is built against gnutls and not openssl. In
most tutorials it's suggested to set the cipher suite to
'TLS_RSA_AES_256_CBC_SHA1' inside slapd.conf. That's not supported in my
"Java(TM) SE Runtime Environment (build 1.6.0_20-b02)"
- Use the "-Djavax.net.debug=ssl" flag to debug the ssl session (thx
chris for that)
Thank once again for your hint!
Greets, Michael
- --
- ----------------------------------------------------------------------
Michael Hammer
GPG-Key-ID: 0x1BA5F0DE
phone: +43 (0) 650 86 33 55 8
Graz - AUSTRIA
http://www.michael-hammer.at/
- ----------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkwE+IIACgkQPsRu3xul8N6vLwCeNICNyXjc/1wYveW3XMJgrg8/
QFEAn0kf7hQIPeMDqqEvMJcNzfKaFBhX
=mO8v
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
_______________________________________________
Jxplorer-users mailing list
Jxplorer-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jxplorer-users
