System Administrator Jahia 7.3 Jahia 8

LDAPs and OpenJDK11

Question

I have switched to OpenJDK 11 and my LDAP provider, using a SSL connection, is not working anymore. I have the following error:

2019-07-03 09:07:43,088: ERROR [CM Configuration Updater (ManagedServiceFactory Update: factoryPid=[org.jahia.services.usermanager.ldap])] org.jahia.services.usermanager.ldap.LDAPUserGroupProvider: An error occurred while communicating with the LDAP server ldap
org.springframework.ldap.CommunicationException: sso.jahia.com:636; nested exception is javax.naming.CommunicationException: sso.jahia.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure]
        at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:108)
        at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:356)
        at org.springframework.ldap.core.support.AbstractContextSource.doGetContext(AbstractContextSource.java:140)
        at org.springframework.ldap.core.support.AbstractContextSource.getReadOnlyContext(AbstractContextSource.java:159)
        at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:357)
        at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:440)
        at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:271)
        at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:1604)
        at org.jahia.services.usermanager.ldap.LDAPUserGroupProvider$3.doInLdap(LDAPUserGroupProvider.java:410)
        at org.jahia.services.usermanager.ldap.LDAPUserGroupProvider$3.doInLdap(LDAPUserGroupProvider.java:405)
        at org.jahia.services.usermanager.ldap.communication.LdapTemplateWrapper.execute(LdapTemplateWrapper.java:62)
        at org.jahia.services.usermanager.ldap.LDAPUserGroupProvider.isAvailable(LDAPUserGroupProvider.java:405)
        at org.jahia.modules.external.users.impl.UserDataSource.isAvailable(UserDataSource.java:244)
        at org.jahia.modules.external.ExternalSessionImpl.getRootNode(ExternalSessionImpl.java:188)
        at org.jahia.services.content.JCRStoreProvider.checkAvailability(JCRStoreProvider.java:410)
        at org.jahia.services.content.JCRStoreProvider.isAvailable(JCRStoreProvider.java:387)
        at org.jahia.services.content.JCRStoreProvider.isAvailable(JCRStoreProvider.java:376)
        at org.jahia.services.content.JCRStoreProvider.start(JCRStoreProvider.java:341)
        at org.jahia.modules.external.ExternalContentStoreProvider.start(ExternalContentStoreProvider.java:160)
        at org.jahia.services.content.JCRStoreProvider.start(JCRStoreProvider.java:326)
        at org.jahia.modules.external.users.impl.ExternalUserGroupServiceImpl.register(ExternalUserGroupServiceImpl.java:157)
        at org.jahia.modules.external.users.BaseUserGroupProvider.register(BaseUserGroupProvider.java:78)
        at org.jahia.services.usermanager.ldap.JahiaLDAPConfig.setContext(JahiaLDAPConfig.java:271)
        at org.jahia.services.usermanager.ldap.JahiaLDAPConfigFactory.updated(JahiaLDAPConfigFactory.java:119)
        at org.apache.felix.cm.impl.helper.ManagedServiceFactoryTracker.updated(ManagedServiceFactoryTracker.java:159)
        at org.apache.felix.cm.impl.helper.ManagedServiceFactoryTracker.provideConfiguration(ManagedServiceFactoryTracker.java:93)
        at org.apache.felix.cm.impl.ConfigurationManager$ManagedServiceFactoryUpdate.provide(ConfigurationManager.java:1602)
        at org.apache.felix.cm.impl.ConfigurationManager$ManagedServiceFactoryUpdate.run(ConfigurationManager.java:1545)
        at org.apache.felix.cm.impl.UpdateThread.run0(UpdateThread.java:143)
        at org.apache.felix.cm.impl.UpdateThread.run(UpdateThread.java:110)
        at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: javax.naming.CommunicationException: sso.jahia.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure]
        at java.naming/com.sun.jndi.ldap.Connection.<init>(Connection.java:237)
        at java.naming/com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)
        at java.naming/com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1610)
        at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2752)
        at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:320)
        at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
        at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
        at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
        at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
        at java.naming/javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:730)
        at java.naming/javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
        at java.naming/javax.naming.InitialContext.init(InitialContext.java:236)
        at java.naming/javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
        at org.springframework.ldap.core.support.LdapContextSource.getDirContextInstance(LdapContextSource.java:42)
        at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:344)
        ... 29 more
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
        at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:279)
        at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:181)
        at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
        at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
        at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
        at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
        at java.naming/com.sun.jndi.ldap.Connection.createSocket(Connection.java:348)
        at java.naming/com.sun.jndi.ldap.Connection.<init>(Connection.java:216)
        ... 43 more

 

Answer

By default in OpenJDK 11, the TLS version of the protocol used in the 1.3. If your LDAP does not support this protocol, it will fails. The bug was reported there: https://bugs.openjdk.java.net/browse/JDK-8213202

To workaround it you have to use the version 1.2 by following these steps:

  1. Modify the file DX_HOME/tomcat/bin/setenv.sh and add the parameter -Djdk.tls.client.protocols=TLSv1.2 to the variable CATALINA_OPTS
  2. Restart Jahia