[OPENAM-8091] OpenAM cannot connect to a DataStore which accepts only
TLSv1.2 Created: 11/Jan/16 Updated: 05/Feb/16
Status:
Project:
Component/s:
Affects
Version/s:
Fix Version/s:
Open
OpenAM
idrepo
12.0.2
Type:
Reporter:
Resolution:
Labels:
Remaining
Estimate:
Time Spent:
Original
Estimate:
Environment:
Bug
Andrew Dunn
Unresolved
EDISON
4h
Issue Links:
Relates
is related
to
None
Priority:
Assignee:
Votes:
Major
Kamal Sivanandam
0
Not Specified
4h
Oracle jdk1.8.0_51 on tomcat 8.0.24
OPENDJSDK49
Advertise support for TLSv1.2 in
SSLC...
Target Version/s: 12.0.3, 13.0.1, 14.0.0
AM Sustaining Sprint 17
Sprint:
10575
Cases:
Description
Steps to reproduce:
1. Configure a OpenDJ datastore to accept only TLSv1.2 connections.
For example:
dsconfig set-connection-handler-prop \
--hostname $DS_HOST \
--port $ADMIN_PORT \
--bindDN "$DIR_MGR" \
--bindPassword $DIR_MGR_PSWD \
--handler-name "LDAPS Connection Handler" \
--add ssl-protocol:TLSv1.2 \
--add ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\
Resolved
--add ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\
--add ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384\
--add ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA\
--add ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256\
--add ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA\
--add ssl-cipher-suite:TLS_RSA_WITH_AES_256_CBC_SHA\
--add ssl-cipher-suite:TLS_RSA_WITH_AES_128_CBC_SHA\
--trustAll \
--no-prompt
2. Configure OpenAM (as LDAPS client) in JVM to connect to the datastore using TLSv1.2:
-Djdk.tls.client.protocols="TLSv1.2"
3. Using javax.net.debug=SSL, observe in OpenAM container debug that OpenAM will still try
to use TLSv1.1 and fail during handshake.
Possible explanation:
OpenAM does not set SSL/TLS protocol when using DJ SDK's SSLContextBuilder class. I.e.
setProtocol() is apparently never called.
http://opendj.forgerock.org/opendjcore/apidocs/org/forgerock/opendj/ldap/SSLContextBuilder.html
Sets the protocol which the SSL context should use. By default, TLSv1 will be
used.
Parameters:
protocol - The protocol which the SSL context should use, which may be null
indicating that TLSv1 will be used.
This results in DJ SDK calling:
sslContext = SSLContext.getInstance("TLSv1");
Which prevents a JVM property of
jdk.tls.client.protocols="TLSv1.2"
from taking effect.
Possible solution:
Call setProtocol("TLS");
Comments
Comment by Chris Ridd [ 14/Jan/16 ]
This is straightforward using the 2.6.11 SDK and a version of Java 7 that supports TLSv1.2, or
Java 8 without setting jdk.tls.client.protocols:
final SSLContext sslContext = new SSLContextBuilder()
.setTrustManager(TrustManagers.trustAll()) // FIXME do
not use trustAll() in production
.getSSLContext();
// using LDAPS
final LDAPOptions options = new LDAPOptions()
.setSSLContext(sslContext)
.addEnabledProtocol("TLSv1.2");
// using LDAP+STARTTLS
//
final LDAPOptions options = new LDAPOptions()
//
.setSSLContext(sslContext)
//
.setUseStartTLS(true)
//
.addEnabledProtocol("TLSv1.2");
final ConnectionFactory connectionFactory = new
LDAPConnectionFactory(hostname, port, options);
final Connection connection = connectionFactory.getConnection();
This is tested against a server that only had TLSv1.2 enabled. I fired in test connections using
openssl s_client -tls1/-tls1_1/-tls1_2. All openssl connections except those over
TLSv1.2 were disconnected by the server, e.g.
[13/Jan/2016:16:18:25 +0000] CONNECT conn=18 from=10.0.1.10:53764
to=10.0.1.10:4444 protocol=LDAPS
[13/Jan/2016:16:18:25 +0000] DISCONNECT conn=18 reason="I/O Error" msg="An IO
error occurred while reading a request from the client:
javax.net.ssl.SSLHandshakeException: Client requested protocol TLSv1.1 not
enabled or not supported"
Generated at Tue Feb 09 21:26:34 GMT 2016 using JIRA 6.3.9#6339sha1:46fa26140bf81c66e10e6f784903d4bfb1a521ae.