1854 views

Description

After an upgrade from Java 6 to Java 8, which is required in the Helsinki release, LDAP requests produce the following error:

"Certificates does not conform to algorithm constraints."
or
"Connection reset"

A rollback to Java 6 is not possible. Java 8 forces TLS V1.2 and also deprecates some cipher suites, which does not work with certain LDAP servers with SSL enabled.

The SSL connection functions correctly via OPENSSL with no issues.

Steps to Reproduce

 

  1. Create a new node with no modified wrapper.conf adjustments.
  2. Upgrade from Geneva to Helsinki.
  3. Test the LDAP connection on the node.

Workaround

This problem was resolved in Helsinki Patch 7.
 
 

 

-> To resolve the issue for an instance on Helsinki Patch 7 or any later version, SN Support should create the following system properties:

 

glide.security.ssl.protocols:

Set the value to a comma-separated list of enabled protocols for secured outgoing connections using the db keystore-based socket factory, for example:

TLSv1.1,TLSv1.2,TLSv1

 

glide.security.ssl.ciphersuites:

Set the value to a comma-separated list of the enabled cipher suites for secured outgoing connections using the db keystore-based socket factory. 

For example: "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"

 

 

-> To resolve the issue for an instance pre-Helsinki Patch 7, update wrapper.conf with the following entry:

wrapper.java.additional.9=-Djdk.tls.client.protocols="${TLS_VERSION}"

 

Note: TLS_VERSION can be TLSv1.1 or TLSv1. Specified cipher suites are not supported, as in pre-Helsinki Patch 7.

 

 

If you see errors like this in the logs:
LDAP API - LDAPLogger : java.lang.IllegalArgumentException: Unsupported ciphersuite TLS_ECDHE_RSA_AES256_SHA384
 
Then it might indicate 'TLS_ECDHE_RSA_AES256_SHA384' is in glide.security.ssl.ciphersuites but it is an invalid ciphersuite. This doesn't necessarily mean that the LDAP server is using this ciphersuite and we see it as invalid. Best to remove everything from glide.security.ssl.ciphersuites except what actually needed for the affected environment.
 
 

Related Problem: PRB703022

Seen In

Eureka Patch 12
Eureka Patch 13 Hot Fix 5
Fuji Patch 12 Hot Fix 1
Fuji Patch 13 Hot Fix 1
Geneva Patch 1 Hot Fix 8
Geneva Patch 5
Geneva Patch 6 Hot Fix 2
Geneva Patch 7
Helsinki Patch 1
Helsinki Patch 4
Helsinki Patch 5
Helsinki Patch 7

Fixed In

Helsinki Patch 7
Istanbul
Jakarta

Associated Community Threads

There is no data to report.

Article Information

Last Updated:2018-03-29 03:26:47
Published:2018-03-29