Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-4845

Crypto manager uses TLSv1, fails if admin connector ssl-protocol is TLSv1.2

    Details

    • Story Points:
      0
    • Support Ticket IDs:

      Description

      Reported on DS 5.0.0, also reproducible on DS 5.5.0.

      Crypto Manager getSymmetricKey uses TLSv1 to connect to admin port.

      This fails if the admin connector is configured to accept only ssl-protocol TLSv1.2.

      Setting Crypto Manager ssl-protocol to TLSv1.2 does not help. SSL debug shows that it still tries to connect using TLSv1.

       

      • Given a replication topology, say 2 nodes with DS+RS.
      • Enable confidentiality on both nodes, so that there is a symmetric key.
      • All working at this point. The admin-backend.ldif on both nodes has 2 symmetric key values, encoded with each node's instance key.
      • Set the admin connector ssl-protocol to only TLSv1.2.
      • For the purpose of having node2 get symmetric key from node1:
        • stop both DS.
        • edit the admin-backend.ldif on both nodes, deleting the ds-cfg-symmetric-key value that has node2's instance key.
        • enable SSL debugging (e.g. start-ds.java-args=... -Djavax.net.debug=all)
        • start up node1 DS, and then node2 DS.
        • at startup, node2 tries to get symmetric key from node1, but fails.
      • Node2 error log:
        [07/Mar/2018:18:22:12 +0800] category=CORE severity=ERROR msgID=654 msg=An error occurred in the trust store synchronization thread: DirectoryException: CryptoManager failed to import the symmetric key entry "ds-cfg-key-id=90d5f809-5cb7-4224-95df-c67329106c24,cn=secret keys,cn=admin data" because it could not obtain a symmetric key attribute value that can be decoded by this instance (CryptoManagerSync.java:199 CryptoManagerSync.java:158 CryptoManagerSync.java:140 DirectoryServer.java:1300 DirectoryServer.java:4210)
      • Node1 server.out with SSL debugging:
        Administration Connector 0.0.0.0 port 54444(1) SelectorRunner, fatal error: 40: Client requested protocol TLSv1 not enabled or not supported
        javax.net.ssl.SSLHandshakeException: Client requested protocol TLSv1 not enabled or not supported
        Administration Connector 0.0.0.0 port 54444(1) SelectorRunner, SEND TLSv1.2 ALERT: fatal, description = handshake_failure
        Administration Connector 0.0.0.0 port 54444(1) SelectorRunner, WRITE: TLSv1.2 Alert, length = 2
        Administration Connector 0.0.0.0 port 54444(1) SelectorRunner, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: Client requested protocol TLSv1 not enabled or not supported
        

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                matthew Matthew Swift
                Reporter:
                wei-yee.lum Wei-Yee Lum
                Dev Assignee:
                Matthew Swift
                QA Assignee:
                Viktor Nawrath
              • Votes:
                0 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: