[
https://issues.apache.org/jira/browse/DIRSERVER-2318?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18058847#comment-18058847
]
Aurelien Tisné commented on DIRSERVER-2318:
-------------------------------------------
It seems to be better using {{ssl:handshake}} (rather than {{handshake}} in
your first message). I have a bunch of logs...
I give you only the last messages:
{code:java}
...
javax.net.ssl|ALL|03|NioProcessor-1|2026-02-16 10:30:14.814
CET|SignatureScheme.java:445|Ignore disabled signature scheme: rsa_md5
javax.net.ssl|DEBUG|03|NioProcessor-1|2026-02-16 10:30:14.817
CET|SSLExtensions.java:272|Ignore, context unavailable extension: cookie
javax.net.ssl|DEBUG|03|NioProcessor-1|2026-02-16 10:30:14.964
CET|SSLExtensions.java:272|Ignore, context unavailable extension:
renegotiation_info
javax.net.ssl|DEBUG|03|NioProcessor-1|2026-02-16 10:30:14.964
CET|PreSharedKeyExtension.java:654|No session to resume.
javax.net.ssl|DEBUG|03|NioProcessor-1|2026-02-16 10:30:14.964
CET|SSLExtensions.java:272|Ignore, context unavailable extension: pre_shared_key
javax.net.ssl|DEBUG|03|NioProcessor-1|2026-02-16 10:30:14.969
CET|ClientHello.java:638|Produced ClientHello handshake message (
"ClientHello": {
"client version" : "TLSv1.2",
"random" :
"E82075451B1FE49570CB818BDE76653B194469BFDB6942447D200475B89CEA27",
"session id" :
"2DB0CE109AFD1888FB61A2770B1BD4F26DF8296095F4174A2F2E3FB9DD59B419",
"cipher suites" : "[TLS_AES_256_GCM_SHA384(0x1302),
TLS_AES_128_GCM_SHA256(0x1301), TLS_CHACHA20_POLY1305_SHA256(0x1303),
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C),
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B),
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256(0xCCA9),
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030),
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCA8),
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F),
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F),
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCAA),
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3),
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E),
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2),
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024),
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028),
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023),
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027),
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B),
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A),
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067),
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040),
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A),
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014),
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009),
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013),
TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039),
TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038),
TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033),
TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032),
TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
"compression methods" : "00",
"extensions" : [
"status_request (5)": {
"certificate status type": ocsp
"OCSP status request": {
"responder_id": <empty>
"request extensions": {
<empty>
}
}
},
"supported_groups (10)": {
"named groups": [x25519, secp256r1, secp384r1, secp521r1, x448,
ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
},
"ec_point_formats (11)": {
"formats": [uncompressed]
},
"status_request_v2 (17)": {
"cert status request": {
"certificate status type": ocsp_multi
"OCSP status request": {
"responder_id": <empty>
"request extensions": {
<empty>
}
}
}
},
"extended_master_secret (23)": {
<empty>
},
"session_ticket (35)": {
<empty>
},
"signature_algorithms (13)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384,
ecdsa_secp521r1_sha512, ed25519, ed448, rsa_pss_rsae_sha256,
rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256,
rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384,
rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224]
},
"supported_versions (43)": {
"versions": [TLSv1.3, TLSv1.2]
},
"psk_key_exchange_modes (45)": {
"ke_modes": [psk_dhe_ke]
},
"signature_algorithms_cert (50)": {
"signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384,
ecdsa_secp521r1_sha512, ed25519, ed448, rsa_pss_rsae_sha256,
rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256,
rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384,
rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1,
rsa_pkcs1_sha1, dsa_sha1]
},
"key_share (51)": {
"client_shares": [
{
"named group": x25519
"key_exchange": {
0000: 00 E3 CB 7A EA 74 5F 4A 28 D1 C6 CB EF 9F E8 E3
...z.t_J(.......
0010: 51 21 6D 33 5D 04 A5 B9 EF C4 3C 7D F9 E4 18 70
Q!m3].....<....p
}
},
{
"named group": secp256r1
"key_exchange": {
0000: 04 FD AF E9 F6 E5 B5 3A 37 E0 F4 1C 47 82 2E 20
.......:7...G..
0010: 7D C6 8C D3 58 25 67 4B 89 1C AA BF BB 25 FA C9
....X%gK.....%..
0020: 27 4B 5E FC 59 28 CE F3 2E 21 F4 73 AD 49 A3 18
'K^.Y(...!.s.I..
0030: 4E 3D 7B 59 C2 92 02 85 F6 22 DA F2 FA D2 34 05
N=.Y....."....4.
0040: 73
}
},
]
}
]
}
)
javax.net.ssl|DEBUG|03|NioProcessor-1|2026-02-16 10:30:14.973
CET|SSLEngineOutputRecord.java:529|WRITE: TLSv1.3 handshake, length = 417
javax.net.ssl|DEBUG|03|NioProcessor-1|2026-02-16 10:30:15.065
CET|SSLEngineInputRecord.java:213|READ: TLSv1.2 alert, length = 2
javax.net.ssl|DEBUG|03|NioProcessor-1|2026-02-16 10:30:15.068
CET|Alert.java:232|Received alert message (
"Alert": {
"level" : "fatal",
"description": "handshake_failure"
}
)
javax.net.ssl|ERROR|03|NioProcessor-1|2026-02-16 10:30:15.070
CET|TransportContext.java:375|Fatal (HANDSHAKE_FAILURE): Received fatal alert:
handshake_failure (
"throwable" : {
javax.net.ssl.SSLHandshakeException: (handshake_failure) Received fatal
alert: handshake_failure
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:130)
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
at
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:370)
at
java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:287)
at
java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:209)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
at
java.base/sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:736)
at
java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:691)
at
java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:506)
at
java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:482)
at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:679)
at org.apache.mina.filter.ssl.SslHandler.unwrap(SslHandler.java:774)
at
org.apache.mina.filter.ssl.SslHandler.unwrapHandshake(SslHandler.java:710)
at org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:596)
at
org.apache.mina.filter.ssl.SslHandler.messageReceived(SslHandler.java:355)
at
org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:517)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:49)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:1128)
at
org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:122)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650)
at
org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:643)
at
org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:539)
at
org.apache.mina.core.polling.AbstractPollingIoProcessor.access$1200(AbstractPollingIoProcessor.java:68)
at
org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1222)
at
org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1211)
at
org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:683)
at
org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
at
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
at
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
at java.base/java.lang.Thread.run(Thread.java:1583)}
)
javax.net.ssl|ALL|03|NioProcessor-1|2026-02-16 10:30:15.072
CET|SSLSessionImpl.java:1190|Invalidated session:
Session(1771234214747|SSL_NULL_WITH_NULL_NULL)
{code}
Tell me if it's not enough.
> StartTLS and LDAPS are not working
> ----------------------------------
>
> Key: DIRSERVER-2318
> URL: https://issues.apache.org/jira/browse/DIRSERVER-2318
> Project: Directory ApacheDS
> Issue Type: Bug
> Components: ldap, security
> Affects Versions: 2.0.0-M24, 2.0.0.AM26
> Environment: Ubuntu 20.04 clean installation used for both client and
> server. Used version 2.0.0~M24-3 from Ubuntu repository and version
> 2.0.0.AM26 deb package from official website. Using openjdk-14-jre and
> openjdk-11-jre from Ubuntu repository. Apache Studio 2.0.0-M15 from website.
> Reporter: Karl Frauendienst
> Priority: Major
> Attachments: Apache_Studio_StartTLS.log
>
>
> Attempting to make a secure LDAP connection results in handshake failure with
> unknown error. No error with unencrypted connections. Tested on two
> separate systems.
> First setup: Ubuntu Server 20.04 with apacheds 2.0.0~M24-3 installed from
> repository. Tried both default-jre (openjdk-11-jre) and openjdk-14-jre.
> Running Apache Studio 2.0.0-M15 from official website on a separate Ubuntu
> Desktop 20.04 system and tested with same two jre versions. On this setup, I
> occasionally got an error stating the key was only 512 bits, so I used
> keytool according to the ApacheDS getting started guide to create and use a
> 2048 bit keypair. Following that I only get the handshake failure.
> Second setup: Ubuntu Desktop 20.04 running openjdk-14-jre with ApacheDS
> 2.0.0.AM26 deb pkg and Apache Studio 2.0.0-M15 from official website. This
> produces the handshake error. I believe the issue is server side because I
> can produce a similar handshake error using ldapsearch. It works fine
> unencrypted, but fails using either StartTLS on port 10389 or LDAPS on 10636.
> I did not replace the keypair in this setup. This setup occasionally will
> work with StartTLS and LDAPS but will seemingly work or not work
> intermittently with no configuration changes being made.
> I have tested with Apache Studio SSL verification both enabled and disabled
> in both cases.
> Errors produced include:
> !MESSAGE Improper close state: Status = OK HandshakeStatus = NEED_WRAP
> !MESSAGE The authentication failed
> - ERR_04120_TLS_HANDSHAKE_ERROR The TLS handshake failed, reason: Unspecified
> !MESSAGE
> org.apache.directory.api.ldap.model.exception.LdapTlsHandshakeException:
> ERR_04120_TLS_HANDSHAKE_ERROR The TLS handshake failed, reason: Unspecified
> !MESSAGE ERR_01200_BAD_TRANSITION_FROM_STATE Bad transition from state
> START_STATE, tag 0x15
> !MESSAGE org.apache.directory.api.ldap.codec.api.ResponseCarryingException:
> ERR_01200_BAD_TRANSITION_FROM_STATE Bad transition from state START_STATE,
> tag 0x15
> !MESSAGE Error while opening connection
> - PROTOCOL_ERROR: The server will disconnect!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
