This is my first post, so please redirect me if I'm in the wrong place. I've been having the same problem for weeks, and I can't seem to get around it. I'm connecting to an openldap server using tls/ssl (openssl), and I'm constantly getting an eofexception around the time of tls READ on the client side, and I can't figure out whether it's ssl or tls that's dying. If anyone has any idea what's going on, I'd really appreciate the input. He's some relevant java output with debugging on:
..........
setting up default SSLSocketFactory
use default SunJSSE impl class: com.sun.net.ssl.internal.ssl.SSLSocketFactoryImp l
class com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl is loaded
keyStore is : /path/to/mycert
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
trustStore is: /path/to/mycert
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
**********removed sensitive info here**********************
Algorithm: RSA; Serial number: 0x0 Valid from Mon Mar 17 20:28:46 NST 2003 until Tue Mar 16 20:28:46 NST 2004
init context
trigger seeding of SecureRandom
done seeding SecureRandom
instantiated an instance of class com.sun.net.ssl.internal.ssl.SSLSocketFactoryI mpl
export control - checking the cipher suites
export control - no cached value available...
export control - storing legal entry into cache...
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1069503884 bytes = { 7, 48, 141, 114, 165, 47, 223, 142, 90, 51, 199, 37, 149, 8, 3, 229, 3, 181, 2, 201, 24, 205, 74, 133, 18, 50, 70, 121 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH _AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC _SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_ DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SH A, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_ WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WI TH_DES40_CBC_SHA]
Compression Methods: { 0 }
***
[write] MD5 and SHA1 hashes: len = 73
0000: 01 00 00 45 03 01 40 BF 56 8C 07 30 8D 72 A5 2F [EMAIL PROTECTED]/
0010: DF 8E 5A 33 C7 25 95 08 03 E5 03 B5 02 C9 18 CD ..Z3.%..........
0020: 4A 85 12 32 46 79 00 00 1E 00 04 00 05 00 2F 00 J..2Fy......../.
0030: 33 00 32 00 0A 00 16 00 13 00 09 00 15 00 12 00 3.2.............
0040: 03 00 08 00 14 00 11 01 00 .........
Thread-0, WRITE: TLSv1 Handshake, length = 73
[write] MD5 and SHA1 hashes: len = 98
0000: 01 03 01 00 39 00 00 00 20 00 00 04 01 00 80 00 ....9... .......
0010: 00 05 00 00 2F 00 00 33 00 00 32 00 00 0A 07 00 ..../..3..2.....
0020: C0 00 00 16 00 00 13 00 00 09 06 00 40 00 00 15 [EMAIL PROTECTED]
0030: 00 00 12 00 00 03 02 00 80 00 00 08 00 00 14 00 ................
0040: 00 11 40 BF 56 8C 07 30 8D 72 A5 2F DF 8E 5A 33 [EMAIL PROTECTED]/..Z3
0050: C7 25 95 08 03 E5 03 B5 02 C9 18 CD 4A 85 12 32 .%..........J..2
0060: 46 79 Fy
Thread-0, WRITE: SSLv2 client hello message, length = 98
Thread-0, received EOFException: error
Thread-0, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
Thread-0, SEND TLSv1 ALERT: fatal, description = handshake_failure
Thread-0, WRITE: TLSv1 Alert, length = 2
Thread-0, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
Problem getting attribute:javax.naming.CommunicationException: simple bind failed: ******.ca:389 [Root exception is javax.net.ssl.SSLHandshakeException: Re mote host closed connection during handshake]
Also, here's the code:
import javax.naming.NamingEnumeration;
import javax.naming.Context; import javax.naming.directory.InitialDirContext;
import javax.naming.directory.Attributes;
import javax.naming.NamingException; import javax.naming.ldap.*;
import java.util.Hashtable;
import javax.net.ssl.*;
import java.security.*;
import java.io.IOException;
import java.io.EOFException;
public class LdapFetchName{
public static void main(String[] args){
try{
Hashtable env = new Hashtable();
System.setProperty("javax.net.debug","all");
//System.setProperty("java.protocol.handler.pkgs","javax.net.ssl");
String c_truststore = "/source/sandbox/mbrophy/munCA/mycert";
System.setProperty("javax.net.ssl.trustStore",c_truststore); System.setProperty("javax.net.ssl.trustStorePassword","changeit");
String c_keystore = "/source/sandbox/mbrophy/munCA/mycert";
System.setProperty("javax.net.ssl.keyStore",c_keystore);
System.setProperty("javax.net.ssl.keyStorePassword","changeit");
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://irma.cs.mun.ca:389";);
env.put(Context.SECURITY_PROTOCOL, "ssl");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
//env.put(Context.SECURITY_PRINCIPAL,"uid=replicat,ou=People,ou=CSMath,dc=mun,dc=ca");
env.put(Context.SECURITY_PRINCIPAL,"uid=mbrophy,ou=People,ou=CSMath,dc=mun,dc=ca");
//env.put(Context.SECURITY_CREDENTIALS,"pr60ghlj");
env.put(Context.SECURITY_CREDENTIALS,"m8c0.sbc");
LdapContext ctx = new InitialLdapContext(env,null);
StartTlsResponse tls = (StartTlsResponse) ctx.extendedOperation(new StartTlsRequest());
SSLSession sess = tls.negotiate();
Attributes answer = ctx.getAttributes("uid = mbrophy"); tls.close();
ctx.close();
}catch (NamingException e) {
System.err.println("Problem getting attribute:" + e);
}
catch (EOFException eofe) {
System.err.println("End of file: " + eofe); }
catch (IOException ioex) {
System.err.println("IOException: " + ioex); }} }
Thanks in advance, -Mark
_________________________________________________________________
Tired of spam? Get advanced junk mail protection with MSN Premium http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
