[OPENDJ-649] Add supportedTLSCiphers and supportedTLSProtocols to
RootDSE and system monitor Created: 19/Nov/12 Updated: 14/Feb/13 Resolved: 21/Nov/12
Status:
Project:
Component/s:
Affects
Version/s:
Fix Version/s:
Resolved
OpenDJ
core server
2.4.6
Type:
Reporter:
Resolution:
Labels:
Σ Remaining
Estimate:
Σ Time Spent:
Σ Original
Estimate:
Bug
Matthew Swift
Fixed
release-notes
Not Specified
Sub-Tasks:
Key
OPENDJ-650
2.6.0
Not Specified
Not Specified
Priority:
Assignee:
Votes:
Major
Matthew Swift
0
Remaining
Estimate:
Time Spent:
Original
Estimate:
Not Specified
Summary
Type
Update root DSE Sub-task
example in dev
guide
Not Specified
Not Specified
Status
Resolved
Assignee
Mark
Description
Sample code:
SSLContext context = SSLContext.getDefault();
System.out.println(Arrays.toString(context.getSupportedSSLParameters().getProtocols()));
System.out.println(Arrays.toString(context.getSupportedSSLParameters().getCipherSuites()))
This will help people debug some SSL interop issues.
Comments
Comment by Matthew Swift [ 20/Nov/12 ]
We have agreed that the RootDSE should expose the following attributes:

supportedTLSProtocols - the set of TLS protocols supported by the LDAP connection
handler to which the client is connected

supportedTLSCiphers - the set of TLS ciphers supported by the LDAP connection handler to
which the client is connected
In other words, the content of these attributes may vary depending on the LDAP connection handler
configuration. In addition, we should expose the full set of protocols/ciphers supported by the JVM
in the system monitor entry.
Comment by Matthew Swift [ 21/Nov/12 ]
Made the following changes:

add supportedTLSCiphers (note plural) attribute to the RootDSE. This lists the ciphers
which have been enabled for the connection handler to which the client is connected. For
plain LDAP listeners which do not support StartTLS this attribute is empty

add supportedTLSProtocols (note plural) attribute to the RootDSE. This lists the TLS
protocols which have been enabled for the connection handler to which the client is
connected. For plain LDAP listeners which do not support StartTLS this attribute is empty

added supportedTLSProtocols and supportedTLSCiphers attributes to the System Monitor
monitor entry. These attributes lists the TLS protocols and ciphers which are supported by
the JVM and which may not necessarily be enabled for individual connection handlers. Note
that the default set of protocols and ciphers may be a subset of the supported set, and usually
is for ciphers

fixed the LDAP connection handler to provide a more useful error message in the access log
when SSL errors occur, especially during handshaking. A previous change (see ) was too
aggressive at filtering out "noisy" exceptions

fix the LDAP connection handler so that it validates the SSL configuration during
initialization and configuration changes. Previously it was lazily configuring SSL when the
first connection is accepted, meaning that any configuration errors were not detected early
(or at all in fact)

various changes required in order to handle the fact that we now configure SSL early. In
particular the administration connector initialization needed some brain surgery because it
was being initialized before the required key and trust managers.
Comment by Matthew Swift [ 27/Nov/12 ]
Useful JSSE/JCE reading for documentation.
http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider
Generated at Tue Feb 09 11:33:08 GMT 2016 using JIRA 6.3.9#6339sha1:46fa26140bf81c66e10e6f784903d4bfb1a521ae.