Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-6176

cn=monitor shows all SSL/TLS protocols being supported even if certain ones have been disabled in jvm config


    • Type: Bug
    • Status: Done
    • Priority: Major
    • Resolution: Won't Fix
    • Affects Version/s: 6.5.0, 6.0.0, 5.5.0, 4.0.0, 3.5.3, 7.0.0
    • Fix Version/s: Not applicable
    • Component/s: None
    • Labels:
    • Story Points:
    • Support Ticket IDs:


      The LDAPS Connection Handler has been configured to "Uses the default set of SSL
      protocols provided by the server's JVM."

      So, let's say we disable SSLv3 and TLSv1 in the JVM via $JAVA_HOME/jre/lib/security/java.security. Relevant config from java.security...

      jdk.tls.disabledAlgorithms=TLSv1, SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC

      When querying the rootDSE through the SSL port, we see that the correct set of supported SSL/TLS protocols is returned (note that SSLv3 and TLSv1 are not listed since they've been disabled via java.security)...

      Vincents-MacBook-Pro:bin vincent.tran$ ./ldapsearch -p 3636 --useSSL -X -D "cn=directory manager" -w dirmanager -b "" -s base objectclass=* supportedTLSProtocols
      supportedTLSProtocols: SSLv2Hello
      supportedTLSProtocols: TLSv1.1
      supportedTLSProtocols: TLSv1.2

      However, SSLv3 and TLSv1 are still listed as supported protocols when querying cn=monitor.

      Vincents-MacBook-Pro:bin vincent.tran$ ./ldapsearch -p 3636 --useSSL -X -D "cn=directory manager" -w dirmanager -b "cn=monitor" objectclass=*  | grep -i protocol
      ds-mon-protocol: LDAPS
      ds-mon-protocol: HTTPS
      ds-mon-protocol: LDAP
      ds-mon-protocol: LDAPS
      ds-mon-jvm-supported-tls-protocols: SSLv2Hello
      ds-mon-jvm-supported-tls-protocols: SSLv3
      ds-mon-jvm-supported-tls-protocols: TLSv1
      ds-mon-jvm-supported-tls-protocols: TLSv1.1
      ds-mon-jvm-supported-tls-protocols: TLSv1.2
      Vincents-MacBook-Pro:bin vincent.tran$

      Lee performed similar tests in 5.5.0 and 7.0.0 and saw the same behavior.

      opendj; bin/$ date; ./status -V
      Thu Apr  4 15:27:42 MDT 2019
      ForgeRock Directory Services 5.5.0
      Build 20171019141329
                 Name                 Build number         Revision number
      opendj; bin /$ ./ldapsearch --port 1636 --baseDN "" --trustAll --useSSL --searchScope base "(objectclass=*)" supportedTLSProtocols
      supportedTLSProtocols: SSLv2Hello
      supportedTLSProtocols: TLSv1.1
      supportedTLSProtocols: TLSv1.2
      opendj; bin./ldapsearch  --port 1389 --bindDN "cn=Directory Manager" --bindPasswordFile pass --baseDN "cn=System Information,cn=monitor" --searchScope sub "(objectClass=*)" supportedTLSProtocols
      dn: cn=System Information,cn=monitor
      supportedTLSProtocols: SSLv2Hello
      supportedTLSProtocols: SSLv3
      supportedTLSProtocols: TLSv1
      supportedTLSProtocols: TLSv1.1
      supportedTLSProtocols: TLSv1.2

      Lee tested as far back as 2.6.4 and observed the same. So, it appears that the supported SSL/TLS protocols as reported via cn=monitor has always been incorrect, unless support is misunderstanding what cn=monitor is supposed to report.


          Issue Links



              • Assignee:
                matthew Matthew Swift
                vincent.tran Vincent Tran
                Dev Assignee:
                Matthew Swift
              • Votes:
                0 Vote for this issue
                1 Start watching this issue


                • Created: