Hi Emmanuel, a few questions :
- Java version ? - Server LDAPS configuration ? (typically, which TLS protocol versions are you allowing) - Do you require client auth ? request client auth ? - Can you provide the full debug log ? - Can you start the server with -Djavax.net.debug=all and provide the produced logs ? Le 24/10/2018 à 16:51, Emmanuel Quevillon a écrit : > Hi, > > I've freshly installed ApacheDirectory (AD) (2.0.0.AM25) on a debian server > (9.5) and all installed nicely. > As recommanded into the documentation, I've changed the admin user password. > I did it using ApacheDirectory Studio (ADS) installed > on my mac. > > So using ADS, I can connect nicely to AD using port 10389 (configured) using > no encrypted connection. > I've then decided to activate (and test) ldaps and tls as recommanded in the > documentation. > I've created my own keystore file to be loaded on the server under > /opt/apacheds-2.0.0.AM25/conf directory > and set this into ADS. The keystore file is valid for 10 years > > I've been able to create 2 new connection with ADS, one ldpas using port > 10636 and one using TLS on port 10389 > all of them connecting with admin user. All seem ok as I can open the > connection using ADS to the remote server > and can navigate on LDAP tree. > > Where my problem is, is that when I try to connect using ldapsearch on the > command line, I cannot connect to the remote > server :( > > So my first question is, are my ADS secured connections really secured?? > > The other question is, could someone light my lantern on such error thrown in > the apacheDS logs: > > [16:40:33] WARN [org.apache.directory.server.ldap.LdapProtocolHandler] - > Unexpected exception forcing session to close: sending disconnect notice to > client. > javax.net.ssl.SSLException: Unsupported record version Unknown-5.2 > at sun.security.ssl.InputRecord.checkRecordVersion(InputRecord.java:552) > at > sun.security.ssl.EngineInputRecord.bytesInCompletePacket(EngineInputRecord.java:113) > at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:868) > at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) > at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) > ... > [16:40:33] WARN [org.apache.directory.server.ldap.LdapProtocolHandler] - > Unexpected exception forcing session to close: sending disconnect notice to > client. > javax.net.ssl.SSLException: SSLEngine error during encrypt: CLOSED src: > java.nio.HeapByteBuffer[pos=0 lim=81 cap=81]outNetBuffer: HeapBuffer[pos=31 > lim=16921 cap=16921: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0 > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 00 00 00 00...] > at org.apache.mina.filter.ssl.SslHandler.encrypt(SslHandler.java:458) > at org.apache.mina.filter.ssl.SslFilter.filterWrite(SslFilter.java:653) > at > org.apache.mina.core.filterchain.DefaultIoFilterChain.callPreviousFilterWrite(DefaultIoFilterChain.java:753) > at > org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1500(DefaultIoFilterChain.java:49) > at > org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.filterWrite(DefaultIoFilterChain.java:1159) > at > org.apache.mina.filter.codec.ProtocolCodecFilter.filterWrite(ProtocolCodecFilter.java:345) > > What could cause Unknow-5.2 error? > > > > and from ldapsearch command line utility: > > $ ldapsearch -H ldap://host:10389 -D "uid=admin,ou=system" -b > "uid=admin,ou=system" -w password -v -ZZ > ldap_initialize( ldap://host:10389/??base ) > ldap_start_tls: Connect error (-11) > additional info: (unknown error code) > > in debug mode > ... > ldap_msgfree > TLS: peer cert untrusted or revoked (0x42) > TLS: can't connect: (unknown error code). > ldap_err2string > ldap_start_tls: Connect error (-11) > additional info: (unknown error code) > ldap_free_connection 1 1 > ldap_send_unbind > ber_flush2: 7 bytes to sd 3 > ldap_free_connection: actually freed > .... > > Looks like my certificate is revoked (should be valid until 2028) > > Trying ldaps: > > $ ldapsearch -H ldaps://host:10636 -D "uid=admin,ou=system" -b > "uid=admin,ou=system" -v -x > ldap_initialize( ldaps://host:10636/??base ) > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) > > > This certificate has been created as such: > > $ keytool -genkey -keyalg "RSA" -alias ldap -keystore ldap.ks -validity 3650 > > I've of course answered the question asked during certificate creation. > > Thanks in advance, since is three days I'm loosing my nerves > > Regards > > -- > Emmanuel Quevillon > DevOps - omicX > https://omicx.com | https://omictools.com > > -- > Emmanuel Quevillon > DevOps - omicX > https://omicx.com | https://omictools.com > -- Emmanuel Lecharny Symas.com directory.apache.org
pEpkey.asc
Description: application/pgp-keys