How to disable certificate check in ldaptive

822 views
Skip to first unread message

dc

unread,
May 1, 2018, 11:44:38 AM5/1/18
to ldaptive
When I am trying to connect to ldaps I am getting java.security.cert.CertificateException: Hostname <<ip address>> does not match the hostname in the server's certificate <<hostname>> error.

How to disable certificate check here?

Code :
--------------------------------------------------------------------------------------
ConnectionConfig connectionConfig = new ConnectionConfig();
connectionConfig.setLdapUrl(ldapUrl);
connectionConfig.setConnectionInitializer(new BindConnectionInitializer("baseUserDN", new Credential(pwd)));

PoolConfig poolConfig = new PoolConfig();
poolConfig.setValidateOnCheckOut(true);
poolConfig.setValidatePeriodically(true);

BlockingConnectionPool pool = new BlockingConnectionPool(poolConfig,new DefaultConnectionFactory(connectionConfig));
pool.setValidator(new SearchValidator(new SearchRequest(baseUserDN, new SearchFilter("(objectClass=*)"))));
pool.initialize();

PooledSearchDnResolver dnResolver = new PooledSearchDnResolver(new PooledConnectionFactory(pool));
dnResolver.setBaseDn(serviceAccountSearchBase); 
dnResolver.setUserFilter("sAcc={user}");

BlockingConnectionPool authPool = new BlockingConnectionPool(poolConfig,new DefaultConnectionFactory(connectionConfig));
authPool.setValidator(new SearchValidator(new SearchRequest(baseUserDN, new SearchFilter("(objectClass=*)"))));
authPool.initialize();
AuthenticationHandler authHandler = new PooledBindAuthenticationHandler(new PooledConnectionFactory(authPool));

Authenticator authenticator =  new Authenticator(dnResolver, authHandler);

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
I am getting following error:

Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Hostname <<ip address>> does not match the hostname in the server's certificate <<hostname>>
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:1.8.0_66]
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) ~[?:1.8.0_66]
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) ~[?:1.8.0_66]
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) ~[?:1.8.0_66]
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509) ~[?:1.8.0_66]
        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:1.8.0_66]
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) ~[?:1.8.0_66]
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) ~[?:1.8.0_66]
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) ~[?:1.8.0_66]
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) ~[?:1.8.0_66]
        at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:928) ~[?:1.8.0_66]
        at sun.security.ssl.AppInputStream.read(AppInputStream.java:105) ~[?:1.8.0_66]
        at java.io.BufferedInputStream.fill(BufferedInputStream.java:246) ~[?:1.8.0_66]
        at java.io.BufferedInputStream.read1(BufferedInputStream.java:286) ~[?:1.8.0_66]
        at java.io.BufferedInputStream.read(BufferedInputStream.java:345) ~[?:1.8.0_66]
        at com.sun.jndi.ldap.Connection.run(Connection.java:860) ~[?:1.8.0_66]
        ... 1 more
Caused by: java.security.cert.CertificateException: Hostname <<ip address>> does not match the hostname in the server's certificate <<hostname>>
        at org.ldaptive.ssl.HostnameVerifyingTrustManager.checkCertificateTrusted(HostnameVerifyingTrustManager.java:79) ~[ldaptive-1.2.3.jar:?]
        at org.ldaptive.ssl.HostnameVerifyingTrustManager.checkServerTrusted(HostnameVerifyingTrustManager.java:55) ~[ldaptive-1.2.3.jar:?]
        at org.ldaptive.ssl.AggregateTrustManager.checkServerTrusted(AggregateTrustManager.java:129) ~[ldaptive-1.2.3.jar:?]
        at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:922) ~[?:1.8.0_66]
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491) ~[?:1.8.0_66]
        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:1.8.0_66]
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) ~[?:1.8.0_66]
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) ~[?:1.8.0_66]
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) ~[?:1.8.0_66]
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) ~[?:1.8.0_66]
        at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:928) ~[?:1.8.0_66]
        at sun.security.ssl.AppInputStream.read(AppInputStream.java:105) ~[?:1.8.0_66]
        at java.io.BufferedInputStream.fill(BufferedInputStream.java:246) ~[?:1.8.0_66]
        at java.io.BufferedInputStream.read1(BufferedInputStream.java:286) ~[?:1.8.0_66]
        at java.io.BufferedInputStream.read(BufferedInputStream.java:345) ~[?:1.8.0_66]
        at com.sun.jndi.ldap.Connection.run(Connection.java:860) ~[?:1.8.0_66]



Ben Howell-Thomas

unread,
May 1, 2018, 12:17:19 PM5/1/18
to ldap...@googlegroups.com
Something along the lines of this should help, obviously only until you sort out certificates :
 
logger.warn("Ldap certificate checking is disabled");
SslConfig sslConfig = new SslConfig(new AllowAnyTrustManager());
connectionConfig.setSslConfig(sslConfig);

 It's possible to use a TrustManagerFactory to produce a TrustManager which will only trust your own self-generated certificates but it's dependent on how you generate them so you'd have to work that out for your situation.



--
You received this message because you are subscribed to the Google Groups "ldaptive" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ldaptive+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


This email is sent on behalf of Northgate Public Services (UK) Limited and its associated companies including Rave Technologies (India) Pvt Limited (together "Northgate Public Services") and is strictly confidential and intended solely for the addressee(s). 
If you are not the intended recipient of this email you must: (i) not disclose, copy or distribute its contents to any other person nor use its contents in any way or you may be acting unlawfully;  (ii) contact Northgate Public Services immediately on +44(0)1442 768445 quoting the name of the sender and the addressee then delete it from your system.
Northgate Public Services has taken reasonable precautions to ensure that no viruses are contained in this email, but does not accept any responsibility once this email has been transmitted.  You should scan attachments (if any) for viruses.

Northgate Public Services (UK) Limited, registered in England and Wales under number 00968498 with a registered address of Peoplebuilding 2, Peoplebuilding Estate, Maylands Avenue, Hemel Hempstead, Hertfordshire, HP2 4NW.  Rave Technologies (India) Pvt Limited, registered in India under number 117068 with a registered address of 2nd Floor, Ballard House, Adi Marzban Marg, Ballard Estate, Mumbai, Maharashtra, India, 400001.

dc

unread,
May 1, 2018, 2:13:49 PM5/1/18
to ldaptive
Thanks for your suggestions  Ben. I have already tried the way you mentioned by providing AllowAnyTrustManager(), still the same issue.

And also you mentioned "obviously only until you sort out certificates" : are you saying generating certificate is an issue ? We are generating certificate with hostname(not with Ip address). 
To unsubscribe from this group and stop receiving emails from it, send an email to ldaptive+u...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Ben Howell-Thomas

unread,
May 2, 2018, 4:02:40 AM5/2/18
to ldap...@googlegroups.com
are you saying generating certificate is an issue ?
No, I just mean that AllowAnyTrustManager should only be used on dev (ie just stating the obvious).  For production code you want to be sure it's the right certificate of course.

It's curious that it didn't work though... can you debug it to see if there's some other default trust managers being used instead (ie one that delegates certificate checking to the operating system)?

Alternatively maybe add an entry to your hosts file so that the hostname will match the ip address or something like that?  At least to prove what the issue is.


To unsubscribe from this group and stop receiving emails from it, send an email to ldaptive+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Daniel Fisher

unread,
May 2, 2018, 4:34:36 PM5/2/18
to ldap...@googlegroups.com
On Tue, May 1, 2018 at 2:13 PM dc <deepu...@gmail.com> wrote:
Thanks for your suggestions  Ben. I have already tried the way you mentioned by providing AllowAnyTrustManager(), still the same issue.

v1.2.3 attempted to separate the TrustManager and Hostname Verifier concerns.
Largely because of unintended consequences and lack configurability.
Try using SslConfig.setHostnameVerifier(new AllowAnyHostnameVerifier());

--Daniel Fisher

Jacques van der Merwe

unread,
Nov 5, 2019, 7:15:39 AM11/5/19
to ldaptive
There is no such static method on class SslConfig (setHostnameVerifier). Not sure what version was referenced here.
I have the same issue whereby the hostname does not match the server certificate. As this is internally signed certs used for DEV I am not too concerned to skip hostname verification. 

and the doing this
SslConfig sslConfig = new SslConfig(new AllowAnyTrustManager());
  connConfig.setSslConfig(sslConfig);

presents this error

"Cannot modify immutable object"

How can this be done. When I used the sun libraries I merely specified this on the JVM "-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true". This does not work when using this libraries.

thanks

Jacques

Ben Howell-Thomas

unread,
Nov 5, 2019, 7:50:37 AM11/5/19
to ldap...@googlegroups.com
That code's exactly what I've got, along with :

logger.warn("Ldap certificate checking is disabled - fine if on dev");

and some lines setting up startTLS and a connectionStrategy.

There is a non-static setHostnameVerifier method of course.

--
You received this message because you are subscribed to the Google Groups "ldaptive" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ldaptive+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ldaptive/ab2e51e7-160a-49f9-a3bd-35be9db94bed%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages