LDAP SSL not working (#265)

Slava Bendersky opened 1 decade ago
LDAP bind SSL not working.
2013-12-07 05:28:21.608 [urn:ietf:params:xml:ns:xmpp-sasl Queue Worker 0]  LdapAuthProvider.doBindAuthentication()  WARNING: Can't authenticate user
javax.naming.CommunicationException: simple bind failed: myldap:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
	at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218)
	at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
	at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
	at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
	at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
	at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
	at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
	at javax.naming.InitialContext.init(InitialContext.java:242)
	at javax.naming.InitialContext.<init>(InitialContext.java:216)
	at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
	at tigase.db.ldap.LdapAuthProvider.doBindAuthentication(LdapAuthProvider.java:163)
	at tigase.db.ldap.LdapAuthProvider.otherAuth(LdapAuthProvider.java:220)
	at tigase.db.AuthRepositoryMDImpl.otherAuth(AuthRepositoryMDImpl.java:249)
	at tigase.auth.impl.AuthRepoPlainCallbackHandler.handle(AuthRepoPlainCallbackHandler.java:118)
	at tigase.auth.mechanisms.AbstractSasl.handleCallbacks(AbstractSasl.java:49)
	at tigase.auth.mechanisms.SaslPLAIN.evaluateResponse(SaslPLAIN.java:64)
	at tigase.xmpp.impl.SaslAuth.process(SaslAuth.java:308)
	at tigase.server.xmppsession.SessionManager$ProcessorWorkerThread.process(SessionManager.java:2571)
	at tigase.util.WorkerThread.run(WorkerThread.java:132)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
	at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:702)
	at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
	at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
	at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
	at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431)
	at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404)
	at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358)
	at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213)
	at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
	at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
	at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
	at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
	at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
	at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
	at javax.naming.InitialContext.init(InitialContext.java:242)
	at javax.naming.InitialContext.<init>(InitialContext.java:216)
	at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
	at tigase.db.ldap.LdapAuthProvider.doBindAuthentication(LdapAuthProvider.java:163)
	at tigase.db.ldap.LdapAuthProvider.otherAuth(LdapAuthProvider.java:220)
	at tigase.db.AuthRepositoryMDImpl.otherAuth(AuthRepositoryMDImpl.java:249)
	at tigase.auth.impl.AuthRepoPlainCallbackHandler.handle(AuthRepoPlainCallbackHandler.java:118)
	at tigase.auth.mechanisms.AbstractSasl.handleCallbacks(AbstractSasl.java:49)
	at tigase.auth.mechanisms.SaslPLAIN.evaluateResponse(SaslPLAIN.java:64)
	at tigase.xmpp.impl.SaslAuth.process(SaslAuth.java:308)
	at tigase.server.xmppsession.SessionManager$ProcessorWorkerThread.process(SessionManager.java:2571)
	at tigase.util.WorkerThread.run(WorkerThread.java:132)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
	at sun.security.validator.Validator.validate(Validator.java:260)
	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
	at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:702)
	at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
	at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
	at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
	at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431)
	at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404)
	at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358)
	at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213)
	at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
	at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
	at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
	at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
	at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
	at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
	at javax.naming.InitialContext.init(InitialContext.java:242)
	at javax.naming.InitialContext.<init>(InitialContext.java:216)
	at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
	at tigase.db.ldap.LdapAuthProvider.doBindAuthentication(LdapAuthProvider.java:163)
	at tigase.db.ldap.LdapAuthProvider.otherAuth(LdapAuthProvider.java:220)
	at tigase.db.AuthRepositoryMDImpl.otherAuth(AuthRepositoryMDImpl.java:249)
	at tigase.auth.impl.AuthRepoPlainCallbackHandler.handle(AuthRepoPlainCallbackHandler.java:118)
	at tigase.auth.mechanisms.AbstractSasl.handleCallbacks(AbstractSasl.java:49)
	at tigase.auth.mechanisms.SaslPLAIN.evaluateResponse(SaslPLAIN.java:64)
	at tigase.xmpp.impl.SaslAuth.process(SaslAuth.java:308)
	at tigase.server.xmppsession.SessionManager$ProcessorWorkerThread.process(SessionManager.java:2571)
	at tigase.util.WorkerThread.run(WorkerThread.java:132)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
	at sun.security.validator.Validator.validate(Validator.java:260)
	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
	at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:702)
	at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
	at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
	at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
	at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431)
	at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404)
	at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358)
	at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213)
	at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
	at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
	at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
	at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
	at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
	at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
	at javax.naming.InitialContext.init(InitialContext.java:242)
	at javax.naming.InitialContext.<init>(InitialContext.java:216)
	at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
	at tigase.db.ldap.LdapAuthProvider.doBindAuthentication(LdapAuthProvider.java:163)
	at tigase.db.ldap.LdapAuthProvider.otherAuth(LdapAuthProvider.java:220)
	at tigase.db.AuthRepositoryMDImpl.otherAuth(AuthRepositoryMDImpl.java:249)
	at tigase.auth.impl.AuthRepoPlainCallbackHandler.handle(AuthRepoPlainCallbackHandler.java:118)
	at tigase.auth.mechanisms.AbstractSasl.handleCallbacks(AbstractSasl.java:49)
	at tigase.auth.mechanisms.SaslPLAIN.evaluateResponse(SaslPLAIN.java:64)
	at tigase.xmpp.impl.SaslAuth.process(SaslAuth.java:308)
	at tigase.server.xmppsession.SessionManager$ProcessorWorkerThread.process(SessionManager.java:2571)
	at tigase.util.WorkerThread.run(WorkerThread.java:132)
Activities
Bartosz Małkowski commented 1 decade ago
Untrusted certificate.

Possible causes:

root CA isn't added to Java truststore. Solution: add root CA to java default truststore

root CA is in truststore, but LDAP doesn't sends whole chain. For example during certificate validation client has: CA (from truststore), (missing intermediate), end-certificate (received from server). Solution: LDAP must sends all certificates from chain.

TODO:

add option to turn off certificate validation
Artur Hefczyc commented 1 decade ago

Is this bug resolved already?
Bartosz Małkowski commented 1 decade ago

Do you still have a problem with it?
Slava Bendersky commented 1 decade ago

Hello Everyone,

I will do setup in lab again, because since I reported we didn't used SSL ldap.

Slava.
Login to comment
Type	Bug
Priority	Critical
Assignee	Slava Bendersky
RedmineID	1658
Issue Votes (0)
Watchers (0)
Reference
tigase/_server/server-core#265