After an upgrade from Java 6 to Java 8, which is required in the Helsinki release, LDAP requests produce the following error:
"Certificates does not conform to algorithm constraints."
A rollback to Java 6 is not possible. Java 8 forces TLS V1.2 and also deprecates some cipher suites, which does not work with certain LDAP servers with SSL enabled.
The SSL connection functions correctly via OPENSSL with no issues.
Steps to Reproduce
- Create a new node with no modified wrapper.conf adjustments.
- Upgrade from Geneva to Helsinki.
- Test the LDAP connection on the node.
To resolve the issue for an instance on Istanbul or post-Helsinki Patch 7, Support should create these system properties:
Set the value to a comma-separated list of enabled protocols for secured outgoing connections using the db keystore-based socket factory.
For example: "TLSv1.1,TLSv1.2"
Set the value to a comma-separated list of the enabled cipher suites for secured outgoing connections using the db keystore-based socket factory.
For example: "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
To resolve the issue for an instance on pre-Helsinki Patch 7, update wrapper.conf with the following entry (until this PRB is back-ported):
Note: TLS_VERSION can be TLSv1.1 or TLSv1. Specified cipher suites are not supported, as in pre-Helsinki Patch 7.
Related Problem: PRB703022