SSL in two ways not working for my OpenLDAP

Question

i am tying to to test an SSL 2 way connection (handshake) between a JAVA client and OpenLDAP server.

     System.setProperty("javax.net.ssl.trustStore","C:\\Program Files (x86)\\Java\\jre7\\lib\\security\\cacerts");
     System.setProperty("javax.net.ssl.trustStorePassword","changeit");
     System.setProperty("javax.net.debug","ssl");

     Hashtable env = new Hashtable();
     env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
     // Specify SSL
     env.put(Context.SECURITY_PROTOCOL, "SSLv3");


     System.setProperty("javax.net.ssl.keyStoreType", "PKCS12");  
     System.setProperty("javax.net.ssl.keyStore", "C:\\OpenLDAP\\etc\\certs\\client.p12");  
     System.setProperty("javax.net.ssl.keyStorePassword", "password");

     env.put(Context.PROVIDER_URL, "ldaps://localhost:636");

i installed OpenLDAP with default parameters and i exported the server.pem to the truststore above. from the logs i can see that the handshake failed after serverHello is done , wich i guess the problem of trying to get client certificate. what can be wrong with the configuration that i did ?

Answer 1

You need to add the server certificate to Java's keystore, because I'm assuming it's self-signed.

You can get the certificate using

openssl s_client -connect [hostname]:[port e.g. 443] < /dev/null > /tmp/lb.cert

Then add the certificate to your keystore

keytool -importcert -keystore [keystore location, varies, but can be e.g. /etc/pki/java/cacerts] -storepass changeit -file /tmp/lb.cert -alias newSelfSignedKey -noprompt