0

I'm trying to connect to my Java application containing ApacheDS server with openLDAP client. Server is configured well, I've tested that using different clients (ldapbrowser, jxplorer). With openLDAP I'm able to connect to regular ldap port, but when I'm trying to connect to ldaps port or using TLS I have always the same message:

TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL3 alert read:fatal:unexpected_message
TLS trace: SSL_connect:error in SSLv2/v3 read server hello A
TLS: can't connect: error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message.

And my application gives me an exception:

WARN [org.apache.directory.server.ldap.LdapProtocolHandler] - Unexpected exception forcing session to close: sending disconnect notice to client.

and after that:

 javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled

I was trying to force in java that sslv2 should be enabled but servers response is the same. I haven't seen in ApacheDS configuration option enabling SSLv2 (there is only SSLv3 and 3 TLS).

Is it possible that connect with tls OpenLDAP needs SSLv2 message? I can't find a way how to disable it. Or is it problem with Apache, that it doesn't recognize TLS handshake messages?

Do you have any idea, how to solve that?

Thanks!

eewe
  • 11
  • 5
  • The problem could be your Java client if the server is well configured, but forcing SSL2 is not the course of actions. Ensure the Java client is using TLS 1.0 and above; and not SSLv3 and above (like Java wants to do). Also see [Which Cipher Suites to enable for SSL Socket?](http://stackoverflow.com/a/23365536/608639). It shows you how to tune protocols and cipher suites. – jww Jan 11 '16 at 13:28

1 Answers1

0

I found the way to disable SSLv2 in OpenLDAP client. I added minimal protocol version in ldaprc file:

TLS_PROTOCOL_MIN 3.3

That was missing line. Now I'm able to connect via SSLv3 and TLS.

eewe
  • 11
  • 5