[ https://issues.apache.org/jira/browse/DIRSTUDIO-1011?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Stefan Seelmann resolved DIRSTUDIO-1011. ---------------------------------------- Resolution: Done Tested with a current Java 11.0.11 and 17-ea, Studio sends either TLSv1.2 or TLSv1.3. I assume it was caused by usage of older Java versions. > ApacheStudio sends SSLv2 Client Hello > ------------------------------------- > > Key: DIRSTUDIO-1011 > URL: https://issues.apache.org/jira/browse/DIRSTUDIO-1011 > Project: Directory Studio > Issue Type: Bug > Affects Versions: 2.0.0-M8 (2.0.0.v20130628) > Reporter: Roy Wellington > Priority: Major > > I'm attempting to configure TLS on a ApacheDS server. I've checked the boxes > indicated by the docs; attempting to connect over either StartTLS or LDAPS > both result in "SSL handshake failed." > Tracing the conversation in Wireshark shows that ApacheDS is sending an SSLv2 > (!) Client Hello, which the server responds to with a TLSv1.0 "Unexpected > Message" (which is correct). ApacheDS should not be sending an SSLv2 Client > Hello; instead, it should use the most recent version of TLS. (SSLv2, and > SSLv3, are broken, and insecure.) > Simply running, > {noformat} > % ldapsearch -H ldaps://<my domain>:10636 > {noformat} > …gets me further in the conversation. (Although {{ldapsearch}} complains > about a bad certificate, but that's because the cert is self-signed; > Wireshark shows that it _is_ getting further in the SSL conversation (it is > getting a Server Hello back) than ApacheDS.) > Note: I'm connecting to an ApacheDS server running on a linux VM, through an > SSH tunnel; I've edited /etc/hosts so that the DNS name still points to the > right spot. This should not matter, and I can still connect with openssl (to > the LDAPS side; obviously openssl is not capable of StartTLS). -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For additional commands, e-mail: dev-h...@directory.apache.org