HCL Notes and Domino 9.0 Social Edition Forum

This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal

Share ▼
Subscribe ▼

~Umberto Fezfooteroopsi

Jul 16, 2015, 12:36 PM

11 Posts

Traveler/LDAP/HTTPS problem

Category: Domino Server
Platform: Linux
Release: 9.0.1
Role: Administrator
Tags:
Replies: 9

Hi,

I use LDAP for authenticating to traveler
There are configured SSL connection via 636 in Directory assistance database.
Everything worked fine, until I began use HTTPS for Traveler.
I have SSL certificate from third party CA.
I used kyrtool for implementation.
RSA private key, 4096 bit
SHA-256

When is new server.kyr in server document, authentication via LDAP doesn't work.
When turn back old keyfile.kyr or change LDAP connection to 389 in Directory Assistance, everything works.

Thank you

~Dexter Deswechekynds

Jul 16, 2015, 2:08 PM

191 Posts

Is the server key 4096?

Try a 2048-bit key and see if that works.

~Umberto Fezfooteroopsi

Jul 17, 2015, 12:51 PM

11 Posts

RE: Is the server key 4096?

I try a 2048 bit key but there is same problem

~Tanita Desweverobu

Jul 17, 2015, 2:10 PM

94 Posts

What versions are each of the servers, and is the LDAP server running on Domino? <>

~Umberto Fezfooteroopsi

Jul 20, 2015, 8:15 AM

11 Posts

Re:What versions are each of the servers, and is the LDAP server running on Domino?

Domino 9.0.1 FP3

LDAP ..... Tivoli Directory server

Traveler 9.0.1.6

~Tanita Desweverobu

Jul 20, 2015, 7:49 PM

94 Posts

Domino console output...

If you set DEBUG_SSL_HANDSHAKE=2 on the Domino server, what messages do you see associated with the Domino -> TDS connection over LDAPS? If switching the LDAP connection from SSL/TLS to plaintext makes the problem go away, the problem is probably in that space.

~Umberto Fezfooteroopsi

Jul 21, 2015, 12:39 PM

11 Posts

Re:

This is console output after setting of debug parameter:

[11492:00007-965867264] 07/21/2015 02:38:52.35 PM SSLInitContext> 0 Available cipherspec: 0x009D
[11492:00007-965867264] 07/21/2015 02:38:52.35 PM SSLInitContext> 1 Available cipherspec: 0x009C
[11492:00007-965867264] 07/21/2015 02:38:52.35 PM SSLInitContext> 2 Available cipherspec: 0x003D
[11492:00007-965867264] 07/21/2015 02:38:52.35 PM SSLInitContext> 3 Available cipherspec: 0x0035
[11492:00007-965867264] 07/21/2015 02:38:52.35 PM SSLInitContext> 4 Available cipherspec: 0x003C
[11492:00007-965867264] 07/21/2015 02:38:52.35 PM SSLInitContext> 5 Available cipherspec: 0x002F
[11492:00007-965867264] 07/21/2015 02:38:52.35 PM SSLInitContext> 6 Available cipherspec: 0x000A
[11492:00007-965867264] 07/21/2015 02:38:52.35 PM SSL_TRUSTPOLICY> bits for signature hashes: 0014
[11492:00007-965867264] 07/21/2015 02:38:52.35 PM int_MapSSLError> Mapping SSL error 0 to 0 [SSLNoErr]
[11492:00007-965867264] 07/21/2015 02:38:52.35 PM SSL_Handshake> Enter
[11492:00007-965867264] 07/21/2015 02:38:52.35 PM SSL_Handshake> Current Cipher 0x0000 (Unknown Cipher)
[11492:00007-965867264] 07/21/2015 02:38:52.35 PM SSL_Handshake> outgoing ->protocolVersion: 0303
[11492:00007-965867264] 07/21/2015 02:38:52.35 PM SSLAdvanceHandshake Enter> Processed : 0 State: 4 (HandshakeClientIdle)
[11492:00007-965867264] 07/21/2015 02:38:52.35 PM SSLAdvanceHandshake Enter> Processed : SSL_hello_request
[11492:00007-965867264] 07/21/2015 02:38:52.35 PM SSLAdvanceHandshake calling SSLPrepareAndQueueMessage> SSLEncodeClientHello
[11492:00007-965867264] 07/21/2015 02:38:52.35 PM SSLEncodeClientHello> We offered SSL/TLS version TLS1.2 (0x0303)
[11492:00007-965867264] 07/21/2015 02:38:52.35 PM SSLAdvanceHandshake Exit> State : 5 (HandshakeServerHello)
[11492:00007-965867264] 07/21/2015 02:38:52.35 PM SSLProcessProtocolMessage> Record Content: 22
[11492:00007-965867264] 07/21/2015 02:38:52.35 PM SSLProcessHandshakeMessage Enter> Message: 2 State: 5 (HandshakeServerHello) Key Exchange: 0 Cipher: 0x0000 (Unknown Cipher)
[11492:00007-965867264] 07/21/2015 02:38:52.35 PM SSLProcessHandshakeMessage Enter> Message:= SSL_server_hello
[11492:00007-965867264] 07/21/2015 02:38:52.35 PM SSLProcessServerHello> Server chose SSL/TLS version TLS1.0 (0x0301)
[11492:00007-965867264] 07/21/2015 02:38:52.35 PM SSLProcessServerHello> Server chose cipher spec RSA_WITH_AES_256_CBC_SHA (0x0035)
[11492:00007-965867264] 07/21/2015 02:38:52.35 PM SSLProcessServerHello> Extensions found in this message
[11492:00007-965867264] 07/21/2015 02:38:52.35 PM SSLProcessServerHello> Extension type 0xFF01, extension length 0x0001
[11492:00007-965867264] 07/21/2015 02:38:52.35 PM SSLProcessHandshakeMessage Exit> Message: 2 State: 5 (HandshakeServerHello) Key Exchange: 1 Cipher: 0x0035 (RSA_WITH_AES_256_CBC_SHA)
[11492:00007-965867264] 07/21/2015 02:38:52.36 PM SSLAdvanceHandshake Enter> Processed : 2 State: 5 (HandshakeServerHello)
[11492:00007-965867264] 07/21/2015 02:38:52.36 PM SSLAdvanceHandshake Enter> Processed : SSL_server_hello
[11492:00007-965867264] 07/21/2015 02:38:52.36 PM SSLAdvanceHandshake Exit> State : 8 (HandshakeCertificate)
[11492:00007-965867264] 07/21/2015 02:38:52.36 PM SSLProcessHandshakeMessage Enter> Message: 11 State: 8 (HandshakeCertificate) Key Exchange: 1 Cipher: 0x0035 (RSA_WITH_AES_256_CBC_SHA)
[11492:00007-965867264] 07/21/2015 02:38:52.36 PM SSLProcessHandshakeMessage Enter> Message:= SSL_certificate
[11492:00007-965867264] 07/21/2015 02:38:52.37 PM SSLSendAlert> Sending an alert of 0x0 (close_notify) level 0x2 (fatal)
[11492:00007-965867264] 07/21/2015 02:38:52.37 PM SSLProcessHandshakeMessage Exit> Message: 11 State: 2 (SSLErrorClose) Key Exchange: 1 Cipher: 0x0035 (RSA_WITH_AES_256_CBC_SHA)
[11492:00007-965867264] 07/21/2015 02:38:52.37 PM SSL_Handshake> After handshake state= 2 Status= -5000
[11492:00007-965867264] 07/21/2015 02:38:52.37 PM SSL_Handshake> Exit Status = -5000
[11492:00007-965867264] 07/21/2015 02:38:52.37 PM int_MapSSLError> Mapping SSL error -5000 to 4176 [SSLHandshakeNoDone]
[11492:00007-965867264] 07/21/2015 02:38:52.37 PM SSL_Handshake> Enter
[11492:00007-965867264] 07/21/2015 02:38:52.37 PM SSL_Handshake> Current Cipher 0x0035 (RSA_WITH_AES_256_CBC_SHA)
[11492:00007-965867264] 07/21/2015 02:38:52.37 PM SSL_Handshake> After handshake2 state 2
[11492:00007-965867264] 07/21/2015 02:38:52.37 PM SSL_Handshake> Exit Status = -6986
[11492:00007-965867264] 07/21/2015 02:38:52.37 PM int_MapSSLError> Mapping SSL error -6986 to 4163 [X509CertChainInvalidErr]

~Tanita Desweverobu

Jul 21, 2015, 2:55 PM

94 Posts

Looks like an invalid or untrusted certificate chain on the LDAP server

This section of the log shows that Domino was processing the LDAP server's certificate chain when it hit a fatal problem, sending an alert back to the LDAP server and reporting "X509CertChainInvalid" back up to the higher levels.

[11492:00007-965867264] 07/21/2015 02:38:52.36 PM SSLAdvanceHandshake Exit> State : 8 (HandshakeCertificate)
[11492:00007-965867264] 07/21/2015 02:38:52.36 PM SSLProcessHandshakeMessage Enter> Message: 11 State: 8 (HandshakeCertificate) Key Exchange: 1 Cipher: 0x0035 (RSA_WITH_AES_256_CBC_SHA)
[11492:00007-965867264] 07/21/2015 02:38:52.36 PM SSLProcessHandshakeMessage Enter> Message:= SSL_certificate
[11492:00007-965867264] 07/21/2015 02:38:52.37 PM SSLSendAlert> Sending an alert of 0x0 (close_notify) level 0x2 (fatal)
[11492:00007-965867264] 07/21/2015 02:38:52.37 PM SSLProcessHandshakeMessage Exit> Message: 11 State: 2 (SSLErrorClose) Key Exchange: 1 Cipher: 0x0035 (RSA_WITH_AES_256_CBC_SHA)
[11492:00007-965867264] 07/21/2015 02:38:52.37 PM SSL_Handshake> After handshake state= 2 Status= -5000
[11492:00007-965867264] 07/21/2015 02:38:52.37 PM SSL_Handshake> Exit Status = -5000
[11492:00007-965867264] 07/21/2015 02:38:52.37 PM int_MapSSLError> Mapping SSL error -5000 to 4176 [SSLHandshakeNoDone]
[11492:00007-965867264] 07/21/2015 02:38:52.37 PM SSL_Handshake> Enter
[11492:00007-965867264] 07/21/2015 02:38:52.37 PM SSL_Handshake> Current Cipher 0x0035 (RSA_WITH_AES_256_CBC_SHA)
[11492:00007-965867264] 07/21/2015 02:38:52.37 PM SSL_Handshake> After handshake2 state 2
[11492:00007-965867264] 07/21/2015 02:38:52.37 PM SSL_Handshake> Exit Status = -6986
[11492:00007-965867264] 07/21/2015 02:38:52.37 PM int_MapSSLError> Mapping SSL error -6986 to 4163 [X509CertChainInvalidErr]

Did the "old" keyring file on Domino contain any trusted roots that aren't in the new keyring file, such as, for example, the LDAP server's trusted root? You can view that information in both keyring files via kyrtool, and can import any missing roots from the old keyring file into the new one also using kyrtool.

~Umberto Fezfooteroopsi

Jul 23, 2015, 3:33 PM

11 Posts

Re:Looks like an invalid or untrusted certificate chain on the LDAP server

I don't have old keyring file. It was new installation of domino server and traveler.

Traveler used only http and DA used connection via 636.

After enabling HTTPS with new keyring file started problems.

~Cheryl Opregenoopsi

Nov 13, 2015, 5:39 PM

6 Posts

The Domino server server needs to know about the certificate information of the remote LDAP server it is connecting to. Please refer to the following technote:

Title: How to allow Directory Assistance to communicate with an external LDAP server using SSL encryption
Doc #: 1249483
URL: http://www.ibm.com/support/docview.wss?uid=swg21249483

Share ▼
Subscribe ▼