LDAP SSL not working (#265)

LDAP SSL not working (#265)

Closed

Activities

	Slava Bendersky opened 1 decade ago LDAP bind SSL not working. 2013-12-07 05:28:21.608 [urn:ietf:params:xml:ns:xmpp-sasl Queue Worker 0] LdapAuthProvider.doBindAuthentication() WARNING: Can't authenticate user javax.naming.CommunicationException: simple bind failed: myldap:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target] at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740) at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307) at javax.naming.InitialContext.init(InitialContext.java:242) at javax.naming.InitialContext.<init>(InitialContext.java:216) at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101) at tigase.db.ldap.LdapAuthProvider.doBindAuthentication(LdapAuthProvider.java:163) at tigase.db.ldap.LdapAuthProvider.otherAuth(LdapAuthProvider.java:220) at tigase.db.AuthRepositoryMDImpl.otherAuth(AuthRepositoryMDImpl.java:249) at tigase.auth.impl.AuthRepoPlainCallbackHandler.handle(AuthRepoPlainCallbackHandler.java:118) at tigase.auth.mechanisms.AbstractSasl.handleCallbacks(AbstractSasl.java:49) at tigase.auth.mechanisms.SaslPLAIN.evaluateResponse(SaslPLAIN.java:64) at tigase.xmpp.impl.SaslAuth.process(SaslAuth.java:308) at tigase.server.xmppsession.SessionManager$ProcessorWorkerThread.process(SessionManager.java:2571) at tigase.util.WorkerThread.run(WorkerThread.java:132) Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868) at sun.security.ssl.Handshaker.process_record(Handshaker.java:804) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312) at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:702) at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122) at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431) at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404) at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358) at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740) at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307) at javax.naming.InitialContext.init(InitialContext.java:242) at javax.naming.InitialContext.<init>(InitialContext.java:216) at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101) at tigase.db.ldap.LdapAuthProvider.doBindAuthentication(LdapAuthProvider.java:163) at tigase.db.ldap.LdapAuthProvider.otherAuth(LdapAuthProvider.java:220) at tigase.db.AuthRepositoryMDImpl.otherAuth(AuthRepositoryMDImpl.java:249) at tigase.auth.impl.AuthRepoPlainCallbackHandler.handle(AuthRepoPlainCallbackHandler.java:118) at tigase.auth.mechanisms.AbstractSasl.handleCallbacks(AbstractSasl.java:49) at tigase.auth.mechanisms.SaslPLAIN.evaluateResponse(SaslPLAIN.java:64) at tigase.xmpp.impl.SaslAuth.process(SaslAuth.java:308) at tigase.server.xmppsession.SessionManager$ProcessorWorkerThread.process(SessionManager.java:2571) at tigase.util.WorkerThread.run(WorkerThread.java:132) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868) at sun.security.ssl.Handshaker.process_record(Handshaker.java:804) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312) at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:702) at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122) at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431) at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404) at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358) at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740) at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307) at javax.naming.InitialContext.init(InitialContext.java:242) at javax.naming.InitialContext.<init>(InitialContext.java:216) at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101) at tigase.db.ldap.LdapAuthProvider.doBindAuthentication(LdapAuthProvider.java:163) at tigase.db.ldap.LdapAuthProvider.otherAuth(LdapAuthProvider.java:220) at tigase.db.AuthRepositoryMDImpl.otherAuth(AuthRepositoryMDImpl.java:249) at tigase.auth.impl.AuthRepoPlainCallbackHandler.handle(AuthRepoPlainCallbackHandler.java:118) at tigase.auth.mechanisms.AbstractSasl.handleCallbacks(AbstractSasl.java:49) at tigase.auth.mechanisms.SaslPLAIN.evaluateResponse(SaslPLAIN.java:64) at tigase.xmpp.impl.SaslAuth.process(SaslAuth.java:308) at tigase.server.xmppsession.SessionManager$ProcessorWorkerThread.process(SessionManager.java:2571) at tigase.util.WorkerThread.run(WorkerThread.java:132) Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868) at sun.security.ssl.Handshaker.process_record(Handshaker.java:804) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312) at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:702) at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122) at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431) at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404) at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358) at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740) at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307) at javax.naming.InitialContext.init(InitialContext.java:242) at javax.naming.InitialContext.<init>(InitialContext.java:216) at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101) at tigase.db.ldap.LdapAuthProvider.doBindAuthentication(LdapAuthProvider.java:163) at tigase.db.ldap.LdapAuthProvider.otherAuth(LdapAuthProvider.java:220) at tigase.db.AuthRepositoryMDImpl.otherAuth(AuthRepositoryMDImpl.java:249) at tigase.auth.impl.AuthRepoPlainCallbackHandler.handle(AuthRepoPlainCallbackHandler.java:118) at tigase.auth.mechanisms.AbstractSasl.handleCallbacks(AbstractSasl.java:49) at tigase.auth.mechanisms.SaslPLAIN.evaluateResponse(SaslPLAIN.java:64) at tigase.xmpp.impl.SaslAuth.process(SaslAuth.java:308) at tigase.server.xmppsession.SessionManager$ProcessorWorkerThread.process(SessionManager.java:2571) at tigase.util.WorkerThread.run(WorkerThread.java:132)
	Bartosz Małkowski commented 1 decade ago Untrusted certificate. Possible causes: root CA isn't added to Java truststore. Solution: add root CA to java default truststore root CA is in truststore, but LDAP doesn't sends whole chain. For example during certificate validation client has: CA (from truststore), (missing intermediate), end-certificate (received from server). Solution: LDAP must sends all certificates from chain. TODO: add option to turn off certificate validation
	Artur Hefczyc commented 10 years ago Is this bug resolved already?
	Bartosz Małkowski commented 10 years ago Do you still have a problem with it?
	Slava Bendersky commented 10 years ago Hello Everyone, I will do setup in lab again, because since I reported we didn't used SSL ldap. Slava.

Type	Bug
Priority	Critical
Assignee	Slava Bendersky
RedmineID	1658

Issue Votes (0)

Watchers (0)

Reference

tigase/_server/server-core#265

Please wait...

Page is in error, reload to recover