-
Type:
Bug
-
Status: Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 12.0.0, 12.0.1, 12.0.2
-
Component/s: idrepo
-
Labels:
-
Environment:Oracle jdk1.8.0_51 on tomcat 8.0.24
Steps to reproduce:
1. Configure a OpenDJ datastore to accept only TLSv1.2 connections.
For example:
dsconfig set-connection-handler-prop \ --hostname $DS_HOST \ --port $ADMIN_PORT \ --bindDN "$DIR_MGR" \ --bindPassword $DIR_MGR_PSWD \ --handler-name "LDAPS Connection Handler" \ --add ssl-protocol:TLSv1.2 \ --add ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\ --add ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\ --add ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384\ --add ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA\ --add ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256\ --add ssl-cipher-suite:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA\ --add ssl-cipher-suite:TLS_RSA_WITH_AES_256_CBC_SHA\ --add ssl-cipher-suite:TLS_RSA_WITH_AES_128_CBC_SHA\ --trustAll \ --no-prompt
2. Configure OpenAM (as LDAPS client) in JVM to connect to the datastore using TLSv1.2:
-Djdk.tls.client.protocols="TLSv1.2"
3. Using javax.net.debug=SSL, observe in OpenAM container debug that OpenAM will still try to use TLSv1.1 and fail during handshake.
Possible explanation:
OpenAM does not set SSL/TLS protocol when using DJ SDK's SSLContextBuilder class. I.e. setProtocol() is apparently never called.
http://opendj.forgerock.org/opendj-core/apidocs/org/forgerock/opendj/ldap/SSLContextBuilder.html
Sets the protocol which the SSL context should use. By default, TLSv1 will be used. Parameters: protocol - The protocol which the SSL context should use, which may be null indicating that TLSv1 will be used.
This results in DJ SDK calling:
sslContext = SSLContext.getInstance("TLSv1");
Which prevents a JVM property of
jdk.tls.client.protocols="TLSv1.2"
from taking effect.
Possible solution:
Call setProtocol("TLS");
- is related to
-
OPENDJ-2930 Advertise support for TLSv1.2 in SSLContextBuilder
-
- Done
-
- relates to
-
OPENAM-9689 OpenAM can not be configured if TLSv1.2 external configuration data store and user data store are used
-
- Closed
-