Le 26/07/2017 à 18:57, John Lee a écrit : > Thanks for your support guys. > > I was able to connect via LDAPS connection with Studio which presumably > uses the Apache LDAP API? Yes.
> Under : DN: > ads-transportid=ldaps,ou=transports,ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=config > I have setting : > > ads-enabledprotocols:TLSv1.2 Which is ok. > > I only just added this on Emmanuel's guidance, but I get the same problem. > The Java LDAPS client is using oracle JDK8 which defaults to using the > TLSv1.2 protocol. > > Yeh I followed through some of the google links. I noticed some references > to similar problems happening more frequently with certain ciphers ( > http://apache-ignite-users.70518.x6.nabble.com/Random-SSL-unsupported-record-version-td8406.html), > although in my case the connection always fails rather than fails randomly. > > I see a question raised in March in archives ( > http://mail-archives.apache.org/mod_mbox/directory-users/201703.mbox/browser > - Problem with limiting ciphers for ldaps) about the possibility of > restricting the ciphers used, as I was going to try and use a different > cipher, maybe older less secure one just for test purposes to see if I get > the same problem. However, I don't think this cipher restriction is > supported in ApacheDS configuration? > > That archived question also asks how the cipher list is arrived at and if > java.security specified providers are consulted to figure out the ciphers > that are supported by the installed java version. For example, in my case > Apache DS is running on openJdk 7 but my client is running on Oracle JDK 8. > I'll try upgrading to use Oracle JDK 8 on the host for apache DS and see if > it makes a difference. Yes, try to run ApacheDS with Java 7. I was a bit quick in my previous answer, btw. Clearly, the ClientHello and ServerHello exchanges have been done properly, with ||TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384| being selected, and TLSv1.2 being used. Be sure that the server uses Java with the ||Unlimited Strength Jurisdiction Policy Files (http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html).| -- Emmanuel Lecharny Symas.com directory.apache.org
