Im working on an java LDAP-Client and I'm still missing some information or knowledge on how to do this properly. My Code looks like this: LdapContext ctx = null; Hashtable<String, String> env = new Hashtable <String, String>(); try{ env.clear(); env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); env.put(Context.PROVIDER_URL, "url"); env.put(Context.SECURITY_PRINCIPAL, "user"); env.put(Context.SECURITY_CREDENTIALS, "password"); env.put(Context.SECURITY_PROTOCOL, "ssl"); env.put("java.naming.security.ssl.ciphers", "SSL_RSA_EXPORT_WITH_RC4_40_MD5"); ctx = new InitialLdapContext(env, null); } catch(NamingException nex) { // error handling } The following things happen at the moment: When debugging the ssl connection I see that a TLSv1 Connection is getting established between my LDAP-Server and my programm. I see the following for my client & server upon ssl handshake: *** ClientHello, TLSv1.2 and *** ServerHello, TLSv1 The things I'm missing right now: I added a cipher to be included but I dont see it in the list of supported ciphers offered in my client's hello message I did't specify that my client offers TLS1.2 in his hello message, where does that setting come from? I would like to be able to determine myself if I want to use TLS or SSL and which version of either TLS or SSL is going to be used, how can I achieve that? (So I can for example only allow TLS 1.1 & 1.2)

Reputation: 441

How to specify SSL/TLS version on Java LDAP connection?

Im working on an java LDAP-Client and I'm still missing some information or knowledge on how to do this properly.

My Code looks like this:

LdapContext ctx = null;
Hashtable<String, String> env = new Hashtable <String, String>();
try{
    env.clear();
    env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
    env.put(Context.PROVIDER_URL, "url");
    env.put(Context.SECURITY_PRINCIPAL, "user");
    env.put(Context.SECURITY_CREDENTIALS, "password");
    env.put(Context.SECURITY_PROTOCOL, "ssl");
    env.put("java.naming.security.ssl.ciphers", "SSL_RSA_EXPORT_WITH_RC4_40_MD5");
    ctx = new InitialLdapContext(env, null);
} catch(NamingException nex) {
    // error handling
}

The following things happen at the moment:

When debugging the ssl connection I see that a TLSv1 Connection is getting established between my LDAP-Server and my programm.
I see the following for my client & server upon ssl handshake: *** ClientHello, TLSv1.2 and *** ServerHello, TLSv1

The things I'm missing right now:

I added a cipher to be included but I dont see it in the list of supported ciphers offered in my client's hello message
I did't specify that my client offers TLS1.2 in his hello message, where does that setting come from?
I would like to be able to determine myself if I want to use TLS or SSL and which version of either TLS or SSL is going to be used, how can I achieve that? (So I can for example only allow TLS 1.1 & 1.2)

Upvotes: 1

Answers (2)

kriz

Reputation: 1

which java version do you use ? It seems that ldap server does not support TLSv1.2 you should specify dedicated ssl socket factory for ldap service.

env.put("java.naming.ldap.factory.socket", CustomTLSSSLSocketFactory.class.getName);

CustomTLSSSLSocketFactory extends SSSLSocketFactory {
public CustomTLSSSLSocketFactory() {
TrustManagerFactory factory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        factory.init((KeyStore) null);
        TrustManager[] defaultTrustManagers = factory.getTrustManagers();

        // create the real socket factory
        SSLContext sc = SSLContext.getInstance("TLS"); //$NON-NLS-1$
        sc.init(null, defaultTrustManagers, null);
        delegate = sc.getSocketFactory();
    }
}

Upvotes: -1

Michael-O

Reputation: 18415

Scan you server first before wasting your time for stuff likely not work at all. use: https://github.com/rbsec/sslscan

It might be possible that your server support TLS 1.0 only.

Upvotes: 0

How to specify SSL/TLS version on Java LDAP connection?

Answers (2)

Related Questions