java -Djavax.net.debug=ssl LDAPConnector 


trigger seeding of SecureRandom 
done seeding SecureRandom 
%% No cached client session 
*** ClientHello, TLSv1 
RandomCookie: GMT: 1256110124 bytes = { 224, 19, 193, 148, 45, 205, 108, 37, 101, 247, 112, 24, 157, 39, 111, 177, 43, 53, 206, 224, 68, 165, 55, 185, 54, 203, 43, 91 } 
Session ID: {} 
Compression Methods: { 0 } 
Thread-0, WRITE: TLSv1 Handshake, length = 73 
Thread-0, WRITE: SSLv2 client hello message, length = 98 
Thread-0, received EOFException: error 
Thread-0, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake 
Thread-0, SEND TLSv1 ALERT: fatal, description = handshake_failure 
Thread-0, WRITE: TLSv1 Alert, length = 2 
Thread-0, called closeSocket() 
main, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake 
javax.naming.CommunicationException: simple bind failed: ldap.natraj.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: Remote host closed connection during hands 
     at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source) 
     at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source) 
     at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source) 
     at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source) 
     at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source) 
     at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source) 
     at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source) 
     at javax.naming.spi.NamingManager.getInitialContext(Unknown Source) 
     at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source) 
     at javax.naming.InitialContext.init(Unknown Source) 
     at javax.naming.InitialContext.<init>(Unknown Source) 
     at javax.naming.directory.InitialDirContext.<init>(Unknown Source) 
     at LDAPConnector.CallSecureLDAPServer(LDAPConnector.java:43) 
     at LDAPConnector.main(LDAPConnector.java:237) 
Caused by: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake 
     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source) 
     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) 
     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(Unknown Source) 
     at com.sun.net.ssl.internal.ssl.AppInputStream.read(Unknown Source) 
     at java.io.BufferedInputStream.fill(Unknown Source) 
     at java.io.BufferedInputStream.read1(Unknown Source) 
     at java.io.BufferedInputStream.read(Unknown Source) 
     at com.sun.jndi.ldap.Connection.run(Unknown Source) 
     at java.lang.Thread.run(Unknown Source) 
Caused by: java.io.EOFException: SSL peer shut down incorrectly 
     at com.sun.net.ssl.internal.ssl.InputRecord.read(Unknown Source) 
     ... 9 more 


我已经在本指南中提到的两个JRE的cacerts中创建并安装了服务器证书 - >OpenLDAP with SSL

当我在服务器上运行ldapsearch -x我得到

# extended LDIF 
# LDAPv3 
# base <dc=localdomain> (default) with scope subtree 
# filter: (objectclass=*) 
# requesting: ALL 

# localdomain 
dn: dc=localdomain 
objectClass: top 
objectClass: dcObject 
objectClass: organization 
o: localdomain 
dc: localdomain 

# admin, localdomain 
dn: cn=admin,dc=localdomain 
objectClass: simpleSecurityObject 
objectClass: organizationalRole 
cn: admin 
description: LDAP administrator 

# search result 
search: 2 
result: 0 Success 

# numResponses: 3 
# numEntries: 2 

在运行openssl s_client -connect ldap.natraj.com:636 -showcerts,我获得自签名证书。


# Global Directives: 

# Features to permit 
#allow bind_v2 

# Schema and objectClass definitions 
include   /etc/ldap/schema/core.schema 
include   /etc/ldap/schema/cosine.schema 
include   /etc/ldap/schema/nis.schema 
include   /etc/ldap/schema/inetorgperson.schema 

# Where the pid file is put. The init.d script 
# will not stop the server if you change this. 
pidfile   /var/run/slapd/slapd.pid 

# List of arguments that were passed to the server 
argsfile  /var/run/slapd/slapd.args 

# Read slapd.conf(5) for possible values 
loglevel  none 

# Where the dynamically loaded modules are stored 
modulepath  /usr/lib/ldap 
moduleload  back_hdb 

# The maximum number of entries that is returned for a search operation 
sizelimit 500 

# The tool-threads parameter sets the actual amount of cpu's that is used 
# for indexing. 
tool-threads 1 

# Specific Backend Directives for hdb: 
# Backend specific directives apply to this backend until another 
# 'backend' directive occurs 
backend   hdb 

# Specific Backend Directives for 'other': 
# Backend specific directives apply to this backend until another 
# 'backend' directive occurs 
#backend    <other> 

# Specific Directives for database #1, of type hdb: 
# Database specific directives apply to this databasse until another 
# 'database' directive occurs 
database  hdb 

# The base of your directory in database #1 
suffix   "dc=localdomain" 

# rootdn directive for specifying a superuser on the database. This is needed 
# for syncrepl. 
rootdn   "cn=admin,dc=localdomain" 

# Where the database file are physically stored for database #1 
directory  "/var/lib/ldap" 

# The dbconfig settings are used to generate a DB_CONFIG file the first 
# time slapd starts. They do NOT override existing an existing DB_CONFIG 
# file. You should therefore change these settings in DB_CONFIG directly 
# or remove DB_CONFIG and restart slapd for changes to take effect. 

# For the Debian package we use 2MB as default but be sure to update this 
# value if you have plenty of RAM 
dbconfig set_cachesize 0 2097152 0 

# Sven Hartge reported that he had to set this value incredibly high 
# to get slapd running at all. See http://bugs.debian.org/303057 for more 
# information. 

# Number of objects that can be locked at the same time. 
dbconfig set_lk_max_objects 1500 
# Number of locks (both requested and granted) 
dbconfig set_lk_max_locks 1500 
# Number of lockers 
dbconfig set_lk_max_lockers 1500 

# Indexing options for database #1 
index   objectClass eq 

# Save the time that the entry gets modified, for database #1 
lastmod   on 

# Checkpoint the BerkeleyDB database periodically in case of system 
# failure and to speed slapd shutdown. 
checkpoint  512 30 

# Where to store the replica logs for database #1 
# replogfile /var/lib/ldap/replog 
# The userPassword by default can be changed 
# by the entry owning it if they are authenticated. 
# Others should not be able to see it, except the 
# admin entry below 
# These access lines apply to database #1 only 
access to attrs=userPassword,shadowLastChange 
     by dn="cn=admin,dc=localdomain" write 
     by anonymous auth 
     by self write 
     by * none 

# Ensure read access to the base for things like 
# supportedSASLMechanisms. Without this you may 
# have problems with SASL not knowing what 
# mechanisms are available and the like. 
# Note that this is covered by the 'access to *' 
# ACL below too but if you change that as people 
# are wont to do you'll still need this if you 
# want SASL (and possible other things) to work 
# happily. 
access to dn.base="" by * read 

# The admin dn has full write access, everyone else 
# can read everything. 
access to * 
     by dn="cn=admin,dc=localdomain" write 
     by * read 

# For Netscape Roaming support, each user gets a roaming 
# profile for which they have write access to 
#access to dn=".*,ou=Roaming,o=morsnet" 
#  by dn="cn=admin,dc=localdomain" write 
#  by dnattr=owner write 
# Specific Directives for database #2, of type 'other' (can be hdb too): 
# Database specific directives apply to this databasse until another 
# 'database' directive occurs 
#database  <other> 

# The base of your directory for database #2 
#suffix   "dc=debian,dc=org" 

# SSL: 
# Uncomment the following lines to enable SSL and use the default 
# snakeoil certificates. 
#TLSCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem 
#TLSCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key 

TLSCACertificateFile /etc/ldap/ssl/server.pem 
TLSCertificateFile /etc/ldap/ssl/server.pem 
TLSCertificateKeyFile /etc/ldap/ssl/server.pem 


# LDAP Defaults 

# See ldap.conf(5) for details 
# This file should be world readable but not world writable. 

HOST ldap.natraj.com 
PORT 636 

BASE dc=localdomain 
URI  ldaps://ldap.natraj.com 
TLS_CACERT /etc/ldap/ssl/server.pem 

#DEREF   never 










正如你在发送SSLv2 ClientHello之后得到了这个直线,你应该尝试禁用SSlv2ClientHello。请参阅JSSE参考指南。


我不使用自己的SSL套接字,而是使用javax.naming。* API连接到LDAP服务器。我无法控制此API使用的套接字。 – Stormshadow 2010-05-04 07:38:02


我能够在SSL套接字的实例上使用setEnabledProtocols()方法来添加{“TLSv1”},但是如何在所有这样的套接字中启用它。我应该写一个我自己的CustomSSLSocketFactory吗? – Stormshadow 2010-05-04 09:37:56


我想有一个系统属性可以禁用它。请参阅JSSE参考指南。 – EJP 2010-05-05 00:48:29