Solutions

SSL handshake failed with no cipher suites in common in DS 5 after restricting cipher suites or upgrading Java

Last updated Apr 3, 2019

The purpose of this article is to provide assistance if you encounter "SSL handshake failed" errors in DS 5 after restricting cipher suites to more secure ones (for example SHA384), installing DS in production mode and/or updating Java® to JDK 1.8.0_192 or later. The reason for the failure is given as "no cipher suites in common".


Symptoms

Running commands that connect over LDAPS fail with an SSL handshake failed error, for example:

  • Using the ldapsearch command:
    Unable to connect to the server: 82 (Local Error)
    Additional Information: SSL handshake failed
    
  • Using the dsreplication command:
    Could not connect to localhost:4444. Check that the server is running and that the provided credentials are valid.
    Error details: Local Error: SSL handshake failed
    

If you enable SSL debug logging, you will see errors similar to the following in the server.out log depending on how you are connecting:

  • LDAPS Connection Handler:
    %% Initialized:  [Session-9, SSL_NULL_WITH_NULL_NULL]
    LDAPS Connection Handler 0.0.0.0 port 1636(2) SelectorRunner, fatal error: 40: no cipher suites in common
    javax.net.ssl.SSLHandshakeException: no cipher suites in common
    %% Invalidated:  [Session-9, SSL_NULL_WITH_NULL_NULL]
    LDAPS Connection Handler 0.0.0.0 port 1636(2) SelectorRunner, SEND TLSv1.2 ALERT:  fatal, description = handshake_failure
    LDAPS Connection Handler 0.0.0.0 port 1636(2) SelectorRunner, WRITE: TLSv1.2 Alert, length = 2
    LDAPS Connection Handler 0.0.0.0 port 1636(2) SelectorRunner, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
    LDAPS Connection Handler 0.0.0.0 port 1636(2) SelectorRunner, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLException: SSLEngine is closing/closed
    
  • Administration Connector:
    %% Initialized:  [Session-50, SSL_NULL_WITH_NULL_NULL]
    Administration Connector 0.0.0.0 port 4444(1) SelectorRunner, fatal error: 40: no cipher suites in common
    javax.net.ssl.SSLHandshakeException: no cipher suites in common
    %% Invalidated:  [Session-50, SSL_NULL_WITH_NULL_NULL]
    Administration Connector 0.0.0.0 port 4444(1) SelectorRunner, SEND TLSv1.2 ALERT:  fatal, description = handshake_failure
    Administration Connector 0.0.0.0 port 4444(1) SelectorRunner, WRITE: TLSv1.2 Alert, length = 2
    Administration Connector 0.0.0.0 port 4444(1) SelectorRunner, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
    Administration Connector 0.0.0.0 port 4444(1) SelectorRunner, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLException: SSLEngine is closing/closed
    

You can enable SSL debug logging as described in FAQ: SSL certificate management in DS/OpenDJ (Q. How do I debug a SSL handshake error?).

Additionally, the server.out log does not show the more secure cipher suites that have been enabled.

Recent Changes

Upgraded to JDK 1.8.0_192 or later.

Restricted cipher suites to more secure ones such as TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, which use protocol version TLSv1.2.

Installed DS using the --productionMode setup option (which restricts the available ciphers and forces the protocol version to TLSv1.2).

Causes

Due to a change introduced in JDK 1.8.0_192 (JDK-8162362 : Introduce system property to control enabled ciphersuites), DS does not set the enabled cipher suites, which means the LDAPS connection falls back to using the default cipher suites list. Another consequence of this Java change is that only protocol TLSv1 is used with the cipher suites despite TLSv1.2 being set. These changes mean the client is using different cipher suites and protocol to the server, which causes this SSL handshake error since both the client and server must support the same cipher suites and protocol agreed upon when attempting to establish a secure connection. 

Changes have been made in DS 5.5 (via OPENDJ-4341 (setup with production mode with java 9 )) to provide support for these Java changes in JDK 1.8.0_192 and later.

Solution

This issue can be resolved by upgrading to DS 5.5 and later; you can download this from BackStage.

Workaround

You can workaround this issue by downgrading Java to JDK 1.8.0_191 or earlier.

See Also

How do I prevent the use of weak SSL cipher suites in DS/OpenDJ?

How do I troubleshoot connection via LDAPS issues in DS/OpenDJ (All versions)?

FAQ: SSL certificate management in DS/OpenDJ

LDAPS client connections fail with SSLHandshakeException: no cipher suites in common in DS 5 and OpenDJ 3.x

Invalid Padding length error when attempting to connect to DS 5 or OpenDJ 3.x via LDAPS

SSL in DS/OpenDJ

Administration Guide › TLS Protocols and Cipher Suites

Configuration Reference › LDAP Connection Handler

Security Guide › Set Up Servers in Production Mode

Related Training

N/A

Related Issue Tracker IDs

OPENDJ-4341 (setup with production mode with java 9 )



Copyright and TrademarksCopyright © 2019 ForgeRock, all rights reserved.
Loading...