Thanks for your support guys. I was able to connect via LDAPS connection with Studio which presumably uses the Apache LDAP API? Under : DN: ads-transportid=ldaps,ou=transports,ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=config I have setting :
ads-enabledprotocols:TLSv1.2 I only just added this on Emmanuel's guidance, but I get the same problem. The Java LDAPS client is using oracle JDK8 which defaults to using the TLSv1.2 protocol. Yeh I followed through some of the google links. I noticed some references to similar problems happening more frequently with certain ciphers ( http://apache-ignite-users.70518.x6.nabble.com/Random-SSL-unsupported-record-version-td8406.html), although in my case the connection always fails rather than fails randomly. I see a question raised in March in archives ( http://mail-archives.apache.org/mod_mbox/directory-users/201703.mbox/browser - Problem with limiting ciphers for ldaps) about the possibility of restricting the ciphers used, as I was going to try and use a different cipher, maybe older less secure one just for test purposes to see if I get the same problem. However, I don't think this cipher restriction is supported in ApacheDS configuration? That archived question also asks how the cipher list is arrived at and if java.security specified providers are consulted to figure out the ciphers that are supported by the installed java version. For example, in my case Apache DS is running on openJdk 7 but my client is running on Oracle JDK 8. I'll try upgrading to use Oracle JDK 8 on the host for apache DS and see if it makes a difference. On Wed, Jul 26, 2017 at 2:58 PM, Shawn McKinney <smckin...@apache.org> wrote: > > > On Jul 26, 2017, at 3:19 AM, John Lee <jhn134...@gmail.com> wrote: > > > > I'm having a problem establishing a LDAPS connection between spring-ldap > > client and apacheDS. Details are provided on stackoverflow, as this is > the > > official forum for spring-ldap and I assume the problem is client-side: > > > > https://stackoverflow.com/questions/45232244/cannot- > establish-tls-connection-between-spring-ldap-client-and-apacheds > > Nice writeup on overflwo. This error jumped out at me: > Thread-8, handling exception: javax.net.ssl.SSLException: Unsupported > record version Unknown-38.2 > %% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384] > Thread-8, SEND TLSv1.2 ALERT: fatal, description = unexpected_message > > for which I googled: > "javax.net.ssl.SSLException: Unsupported record version Unknown-38.2 > %% Invalidated” > > and found some hits. Have you chased those down? > > The other thing you can try is connecting with the Apache LDAP API instead > of spring ldap. I am not suggesting that spring ldap’s apis are broken on > TLS. I’m saying that’s apacheds + its own ldap api are a combination that > has been tested by us here and we’re going to have better support for you. > > There’s some doc about the api and crypto stuff here: > http://directory.apache.org/api/user-guide/5.1-ldaps.html > > Oh and welcome to the list. Good luck. > > Shawn
