Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-4328

Specifying ciphers on the Administration Connector causes tool connection failures

    Details

    • Support Ticket IDs:

      Description

      If you specify any ciphers on the Administration Connector, tools such as the dsreplication and status fail to connect and can throw communication exceptions.

      Test case:

      1. Set a cipher such as TLS_RSA_WITH_AES_128_CBC_SHA256 on the Administration Connector.
      2. Execute "dsreplication status" or "status"

      Results: 

      • DJ 3.5.x fails.
      • DS 5.0 succeeds.

      Errors:

      • dsreplication
        Unable to connect to the server at opendj.forgerock.com on port 4444. Check
        this port is an administration port
        
      • status
        Error reading configuration. Details:
        javax.naming.CommunicationException: simple bind failed: 0.0.0.0:4444 [Root
        exception is javax.net.ssl.SSLHandshakeException: Remote host closed
        connection during handshake]
        

       

      In both of the above cases, SSL debug shows the cipher suites as unsupported, when in fact this works in DJ4.0/DS5.0.

      Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
      

      In 3.5.x the final "Cipher Suites" list does not contain the above cipher, while in the working case, (4.0.0) the cipher suite is shown.  

      Note: the last cipher in the paste below is the configured cipher

      Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256 ... ... ...
      

      Side note:

      • The initial ssl debug shows 28 messages for "Ignoring unsupported cipher suite"
      • The final "Cipher Suites" list shows 22 ciphers in 3.5.x while 4.0.0 has 50.

       

      The only workaround is to unset the ciphers which allows all available ciphers to be evaluated.

        Attachments

        1. 350-debug-one-cipher.zip
          48 kB
        2. 400-debug-one-cipher.zip
          82 kB
        3. debug-ssltap-test.out
          41 kB
        4. ssltap-debug.html
          4 kB

          Issue Links

            Activity

              People

              • Assignee:
                cjr Chris Ridd
                Reporter:
                lee.trujillo Lee Trujillo
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: