Forum Stats

  • 3,825,924 Users
  • 2,260,580 Discussions
  • 7,896,737 Comments

Discussions

Check if Tlsv1.2 version is enabled for dsee7 server

Hi,

We would like to check if Tlsv1.2 protocol is enabled for the ODSEE7 server. When the application team connects to LDAP with Tlsv1.2 protocol they get SSL hanshake terminated error

vendorVersion: Sun-Directory-Server/11.1.1.7.3; 

Below are the queries we have. Please let us know.

  1. We want to identify if Tlsv1.2 is enabled & supported
  2. We want to identify the ciphers that need to be enabled for Tlsv1.2 version
  3. Will this be a result of cipher mismatch between LDAP server & the client ?


Openssl command shows tlsv1.2 is supported

------------------------------------------

openssl s_client -connect <hostname>:<port> -tls1_2

SSL handshake has read 4409 bytes and written 415 bytes

---

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

  Protocol : TLSv1.2

  Cipher  : ECDHE-RSA-AES128-GCM-SHA256

  Session-ID: 13452AC58D403CBB27219158A6A15C521397535A6EB310EE624578454B90351A

  Session-ID-ctx:

  Master-Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

  Key-Arg  : None

  Krb5 Principal: None

  PSK identity: None

  PSK identity hint: None

  Start Time: 1616027327

  Timeout  : 7200 (sec)

  Verify return code: 0 (ok)



-----------------------------------------------


------------------------

error at client End:

Couldn't kickstart handshaking (

"throwable" : {

 javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake

  at java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1321)

  at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1160)

  at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)

  at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)

  at java.naming/com.sun.jndi.ldap.Connection.createSocket(Connection.java:348)

  at java.naming/com.sun.jndi.ldap.Connection.<init>(Connection.java:216)

  at java.naming/com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)

  at java.naming/com.sun.jndi.ldap.LdapClientFactory.createPooledConnection(LdapClientFactory.java:64)

  at java.naming/com.sun.jndi.ldap.pool.Connections.<init>(Connections.java:114)

  at java.naming/com.sun.jndi.ldap.pool.Pool.getPooledConnection(Pool.java:136)

  at java.naming/com.sun.jndi.ldap.LdapPoolManager.getLdapClient(LdapPoolManager.java:340)

  at java.naming/com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1608)

  at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2752)

  at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:320)

  at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)

  at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)

  at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)

  at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)

 

Comments

  • DebA-Oracle
    DebA-Oracle Member Posts: 18 Employee

    This first KM Document also provides a command that can be used to test support for TLS 1.2:

    ODSEE - What Versions of SSL and TLS are Supported by the Latest Version of the Directory Server (Doc ID 2047989.1)

    This KM is provided for an extra credit reference:

    How to Configure ODSEE to Support Specific Security Protocols (Doc ID 2273766.1)

    I hope they help.