How to specify SSL/TLS version on Java LDAP connection?

1
votes

Im working on an java LDAP-Client and I'm still missing some information or knowledge on how to do this properly.

My Code looks like this:

LdapContext ctx = null;
Hashtable<String, String> env = new Hashtable <String, String>();
try{
    env.clear();
    env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
    env.put(Context.PROVIDER_URL, "url");
    env.put(Context.SECURITY_PRINCIPAL, "user");
    env.put(Context.SECURITY_CREDENTIALS, "password");
    env.put(Context.SECURITY_PROTOCOL, "ssl");
    env.put("java.naming.security.ssl.ciphers", "SSL_RSA_EXPORT_WITH_RC4_40_MD5");
    ctx = new InitialLdapContext(env, null);
} catch(NamingException nex) {
    // error handling
}

The following things happen at the moment:

  • When debugging the ssl connection I see that a TLSv1 Connection is getting established between my LDAP-Server and my programm.
  • I see the following for my client & server upon ssl handshake: *** ClientHello, TLSv1.2 and *** ServerHello, TLSv1

The things I'm missing right now:

  • I added a cipher to be included but I dont see it in the list of supported ciphers offered in my client's hello message
  • I did't specify that my client offers TLS1.2 in his hello message, where does that setting come from?
  • I would like to be able to determine myself if I want to use TLS or SSL and which version of either TLS or SSL is going to be used, how can I achieve that? (So I can for example only allow TLS 1.1 & 1.2)
2
javasslldapjndi
How are you viewing the ClientHello? The clientHello will seend the list of "Cipher Suites" that the client knows of, ordered by client preference as shown in the registry: iana.org/assignments/tls-parameters/… - jwilleke
I'm using -Djavax.net.debug=ssl:session to debug the ssl connection in Netbeans. I can see the cipher list but it doesn't include the cipher I added with env.put("java.naming.security.ssl.ciphers", "SSL_RSA_EXPORT_WITH_RC4_40_MD5"); - Alkahna
SSL_RSA_EXPORT_WITH_RC4_40_MD5, seriously? You can drop encryption. - Michael-O
@Michael-O that is just for demo purposes, so dont worry^^ I had to add one that was not present before so I only had the "unsafe" ones left. - Alkahna
It appears that java.naming.security.ssl.ciphers is only supported by the 'IBM JNDI LDAP Provider', not by Sun/Oracle. - user207421

2 Answers

0
votes

Scan you server first before wasting your time for stuff likely not work at all. use: https://github.com/rbsec/sslscan

It might be possible that your server support TLS 1.0 only.

-1
votes

which java version do you use ? It seems that ldap server does not support TLSv1.2 you should specify dedicated ssl socket factory for ldap service.

env.put("java.naming.ldap.factory.socket", CustomTLSSSLSocketFactory.class.getName);

CustomTLSSSLSocketFactory extends SSSLSocketFactory {
public CustomTLSSSLSocketFactory() {
TrustManagerFactory factory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        factory.init((KeyStore) null);
        TrustManager[] defaultTrustManagers = factory.getTrustManagers();

        // create the real socket factory
        SSLContext sc = SSLContext.getInstance("TLS"); //$NON-NLS-1$
        sc.init(null, defaultTrustManagers, null);
        delegate = sc.getSocketFactory();
    }
}