Diffie-Helman cipher suite woes

This topic has 3 replies, 2 voices, and was last updated 5 years, 9 months ago by Ludo.

  • Author
    Posts
  • #4453
     Mark Drummond
    Participant

    I was trying to connect to my OpenDJ (on OpenJDK 1.7) install from JXplorer. The connections failed and the logs showed cipher-suite negotiation problems. I seem to be hearing about these issues a lot lately. I have been trying to work around the problem with some Google-fu but no luck yet.

    Just to confirm my SSL was working properly, I figured I’d just try connecting locally using ${OPENDJ}/bin/ldapsearch. But even the OpenDJ native ldapsearch client suffers the same problem:

    [17/Jun/2015:18:26:12 +0000] CONNECT conn=671 from=127.0.0.1:40237 to=127.0.0.1:636 protocol=LDAPS
    [17/Jun/2015:18:26:13 +0000] DISCONNECT conn=671 reason="I/O Error" msg="An IO error occurred while reading a request from the client: javax.net.ssl.SSLHandshakeException: no cipher suites in common"

    This is out of the box. Any pointers are greatly appreciated.

    • This topic was modified 7 years, 1 month ago by Peter Major.
    #4512
     Ludo
    Moderator

    Hi Mark,

    A while ago, I wrote an article on how to troubleshoot SSL connections issues with OpenDJ : http://ludopoitou.com/2011/06/29/opendj-troubleshooting-ldap-ssl-connections/
    Unfortunately Java SSL library is really lacking proper messages when exceptions occur.
    This said, I’m really surprise that OpenDJ ldapsearch cannot connect with the server. Is this with the same JVM on the same box ?
    I assume this is on Linux. Which version and distribution ?
    Also, you say, this is out of the box, but are you using OpenDJ self-signed certificate ? Or have you installed a proper certificate ? If the later, can you provide details on the certificate as well ?

    #13819
     Mark Drummond
    Participant

    Hi Ludo,

    Thanks for the response and apologies for the late reply. Our FG project was temporarily sidelined for other initiatives. I’ll try to circle back around on this.

    – Mark

    #13867
     Ludo
    Moderator

    Hi Mark,
    Thanks for your response. A few months later, we now know that some versions of OpenJDK had a wrong handling of negotiation of certificates between Diffie-Helman cipher suites and Elliptic Curve ones.
    May be, this was the root cause of the issue you had experimented.

    • This reply was modified 5 years, 9 months ago by Ludo.
Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?