I'm facing issue connecting to LDAPS from my application. I have imported all necessary certificates on JRE keystore. I'm able to make calls to LDAPs when I put the following string in java.security When I change this line to my connection fails with following error: In wireshark it complains about certificate invalid.My question is if my certificate is invalid, it

LDAPS : Simple bind failed

I’m facing issue connecting to LDAPS from my application. I have imported all necessary certificates on JRE keystore.

I’m able to make calls to LDAPs when I put the following string in java.security

jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048

When I change this line to

jdk.tls.disabledAlgorithms=MD5, DSA, DESede, DES_CBC, DHE, RC4, SSLv3, ECDH_anon, DH_anon, NULL, DH keySize < 768, RSA keySize < 2048

my connection fails with following error:

Caused by: javax.naming.CommunicationException: simple bind failed: testxxxxl.xxxx.com:636 [Root exception is java.net.SocketException: Socket closed]
    at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218)
    at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
    at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
    at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
    at org.jboss.as.naming.InitialContext.getDefaultInitCtx(InitialContext.java:122)
    ... 72 more
Caused by: java.net.SocketException: Socket closed
    at java.net.SocketInputStream.socketRead0(Native Method)
    at java.net.SocketInputStream.read(SocketInputStream.java:152)
    at java.net.SocketInputStream.read(SocketInputStream.java:122)
    at sun.security.ssl.InputRecord.readFully(InputRecord.java:442)
    at sun.security.ssl.InputRecord.read(InputRecord.java:480)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:934)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
    at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:709)
    at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
    at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
    at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
    at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431)
    at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404)
    at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358)

In wireshark it complains about certificate invalid.My question is if my certificate is invalid, it shouldn’t be working with this line as well.

jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048

Please help me to solve the issue.

Answer

If you use a secure connection to the LDAP server and you see an error like the following when trying to connect to Active Directory: simple bind failed: ad.hostname.com:636 Import the LDAP server public certificate directly into the Klocwork keystore (which should be_jvmlibsecuritycacerts). This causes the certificate validation process at the Klocwork end to be bypassed, since you have decided to trust the LDAP server certificate by importing it into your list of trusted certificates.

Ask your LDAP administrator to set this extension of your LDAP server certificate to non-critical.

Advertisement

Answer