我正在尝试使用安全LDAP更改现有的LDAP身份验证代码。但是,正常的LDAP工作时,安全LDAP失败并出现SSLHandshakeException。我有一个基本的代码示例:
final Hashtable<String, String> env = new Hashtable<>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldaps://thehost.net:636");
env.put(Context.SECURITY_PRINCIPAL, "id@thehost.net");
env.put(Context.SECURITY_CREDENTIALS, "password");
env.put(Context.SECURITY_PROTOCOL, "ssl");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
try { final InitialDirContext context = new InitialDirContext(env); }
catch (Exception e) { e.printStackTrace(); }
使用-Djavax.net.debug=all运行代码后得到的结果是:
IBMJSSEProvider2 Build-Level: -20120224
Installed Providers =
IBMJSSE2
IBMJCE
IBMJGSSProvider
IBMCertPath
IBMSASL
IBMXMLCRYPTO
IBMXMLEnc
IBMSPNEGO
SUN
keyStore is: C:\IBM\SDP85\jdk\jre\lib\security\cacerts
keyStore type is: jks
keyStore provider is:
init keystore
init keymanager of type IbmX509
trustStore is: C:\IBM\SDP85\jdk\jre\lib\security\cacerts
trustStore type is: jks
trustStore provider is:
init truststore
adding as trusted cert:
<...lots...>
SSLContextImpl: Using X509ExtendedKeyManager com.ibm.jsse2.uc
SSLContextImpl: Using X509TrustManager com.ibm.jsse2.yc
JsseJCE: Using SecureRandom from provider IBMJCE version 1.7
trigger seeding of SecureRandom
done seeding SecureRandom
IBMJSSE2 will not enable CBC protection
JsseJCE: Using cipher AES/CBC/NoPadding from provider TBD via init
JsseJCE: Using SecureRandom from provider IBMJCE version 1.7
JsseJCE: Using KeyAgreement ECDH from provider IBMJCE version 1.7
JsseJCE: Using signature SHA1withECDSA from provider TBD via init
JsseJCE: Using signature NONEwithECDSA from provider TBD via init
JsseJCE: Using KeyFactory EC from provider IBMJCE version 1.7
JsseJCE: Using KeyPairGenerator EC from provider TBD via init
JsseJce: EC is available
IBMJSSE2 will allow RFC 5746 renegotiation per com.ibm.jsse2.renegotiate set to none or default
IBMJSSE2 will not require renegotiation indicator during initial handshake per com.ibm.jsse2.renegotiation.indicator set to OPTIONAL or default taken
IBMJSSE2 will not perform identity checking against the peer cert check during renegotiation per com.ibm.jsse2.renegotiation.peer.cert.check set to OFF or default
Is initial handshake: true
Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_CBC_SHA256
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1473523168 bytes = { 226, 146, 195, 134, 254, 178, 154, 160, 71, 118, 157, 13, 255, 234, 173, 207, 224, 49, 60, 249, 136, 124, 112, 41, 169, 88, 54, 229 }
Session ID: {}
Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_ECDH_RSA_WITH_RC4_128_SHA, SSL_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp192r1, secp224r1, secp384r1, secp521r1, secp160k1, secp160r1, secp160r2, secp192k1, secp224k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension server_name, server_name: [host_name: thehost.net]
***
[write] MD5 and SHA1 hashes: len = 144
<hex code>
Thread-5, WRITE: TLSv1 Handshake, length = 144
[Raw write]: length = 149
<hex code>
Thread-5, received EOFException: error
Thread-5, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
Thread-5, SEND TLSv1 ALERT: fatal, description = handshake_failure
Thread-5, WRITE: TLSv1 Alert, length = 2
[Raw write]: length = 7
0000: 15 03 01 00 02 02 28 .......
Thread-5, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
此错误是由我在代码中未正确设置的内容引起的吗?或者这是服务器端问题?我做了一些搜索,这似乎是正确的,但我对LDAP或SSL / TLS不是很熟悉。