Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-8091

OpenAM cannot connect to a DataStore which accepts only TLSv1.2

    Details

    • Sprint:
      AM Sustaining Sprint 17, AM Sustaining Sprint 18, AM Sustaining Sprint 19
    • Support Ticket IDs:

      Description

      Steps to reproduce:

      1. Configure a OpenDJ datastore to accept only TLSv1.2 connections.
      For example:

      dsconfig set-connection-handler-prop \ 
      --hostname $DS_HOST \ 
      --port $ADMIN_PORT \ 
      --bindDN "$DIR_MGR" \ 
      --bindPassword $DIR_MGR_PSWD \ 
      --handler-name "LDAPS Connection Handler" \ 
      --add ssl-protocol:TLSv1.2 \ 
      --add ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\ 
      --add ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\ 
      --add ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384\ 
      --add ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA\ 
      --add ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256\ 
      --add ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA\ 
      --add ssl-cipher-suite:TLS_RSA_WITH_AES_256_CBC_SHA\ 
      --add ssl-cipher-suite:TLS_RSA_WITH_AES_128_CBC_SHA\ 
      --trustAll \ 
      --no-prompt
      

      2. Configure OpenAM (as LDAPS client) in JVM to connect to the datastore using TLSv1.2:

      -Djdk.tls.client.protocols="TLSv1.2"

      3. Using javax.net.debug=SSL, observe in OpenAM container debug that OpenAM will still try to use TLSv1.1 and fail during handshake.

      Possible explanation:
      OpenAM does not set SSL/TLS protocol when using DJ SDK's SSLContextBuilder class. I.e. setProtocol() is apparently never called.
      http://opendj.forgerock.org/opendj-core/apidocs/org/forgerock/opendj/ldap/SSLContextBuilder.html

      Sets the protocol which the SSL context should use. By default, TLSv1 will be used.
      Parameters:
      protocol - The protocol which the SSL context should use, which may be null indicating that TLSv1 will be used.
      

      This results in DJ SDK calling:

      sslContext = SSLContext.getInstance("TLSv1");
      

      Which prevents a JVM property of

      jdk.tls.client.protocols="TLSv1.2"

      from taking effect.

      Possible solution:
      Call setProtocol("TLS");

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                kamal.sivanandam@forgerock.com Kamal Sivanandam
                Reporter:
                andrew.dunn Andrew Dunn [X] (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                9 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 4h
                  4h
                  Remaining:
                  Remaining Estimate - 4h
                  4h
                  Logged:
                  Time Spent - Not Specified
                  Not Specified