LDAP generic driver - IDM wont connect to OID using TLS

Hello everyone, I'm trying to configure one LDAP generic driver to connect using TLS to a OID LDAP directory. So i included the trusted certificate in the keystore of the directory and set the ssl connection in the driver. Now, when i start the driver, i get this error:

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

 

Which is pretty clear, the handshake for the TLS connection is failing. Pretty hard error o debug i think. So i executed several commands to gadder information about the error. Here is what i got so far:

1. The eDirectory uses OpenSSL 1.0.2, which have at least one cipher that the OID accepts

2. In the attachments, i uploaded the ciphers that the OID accepts.

3. With the tool openssl tried one o those ciphers that both server had in common, and the connection is successful.

4. ndstrace show's this error:

           error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown - SSL alert number 46

but the solution i found for others people that posted the same error, is to import the trusted certificate in the keystore, step that i already did (and the certificate is tested by the client send me the email).

So after more research, i come to the conclusion that i need to debug the TLS handshake to see which cipher is selected by IDM that generates the error in the connection. But here i have and issue, i found that if in the java i set the property Djavax.net.debug i can debug this process, and i know that eDirectory uses java, but, i dont know where to set this property and either which log to consume. The other thing that maybe can help me is knowing how to do this with ndstrace.

Waiting for your comments. Thanks in advance for you help!

  •  

    3192403712 LDAP: TLS accept failure 1 on connection 0x45cc2380, setting err = -5875. Error stack:
    error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown - SSL alert number 46

    That is an error for a client trying to connect to eDirectory - not the LDAP driver conning to OID. To trace IDM operations, use the DXML and DVRS tags in ndstrace:

    /cyberres/idm/w/identity_mgr_tips/2319/capturing-and-reading-novell-identity-manager-traces
    /cyberres/idm/w/identity_mgr_tips/2561/comprehending-idm-traces---part-1-2695509
     
    The "javax.net.debug" property can be set on DriverSet -> Properties -> Java Environment Parameters.
     
    But before doing that, I would test with an external Java utility like https://github.com/klasen/sslpoke

     

  • If you want to debug the handshake, you're going to need tcpdump to capture the packets, and Wireshark to show you what's going on.

    I've previously connected an LDAP driver to OID and I don't recall there being much difficulty in doing so. Just set the Driver Options to Use SSL = Yes, and set the keystore path, key alias, and keystore password.

     

  • Thanks for the quick answer. So i started the debug with the tool you give me (sslpoke), pretty useful by the way. So after some analytics i saw that the cipher suits offered by the server (OID) are not overlapping with the cipher suits that the java in the client can use. This is troubling me because, i don't know how to install those ciphers suites or enable those if they already exist.

    In the post you can find the log's for the sslpoke and nmap (command that retrieves which ciphers suites are accepted by the server). Hope you can give me some light here. Very thank!

  • Verified Answer

    I guess it's time to upgrade OID to a version that supports ciphers suites that are currently considered secure - especially it needs support for AES and SHA256.

  • Can't recommend it for anything other than testing / proving you've found the problem, but you could enable the weak cipher suites.

    https://www.java.com/en/configure_crypto.html

     

  • Thanks, after some more research that's the answer i gave to my client.