LDAPS client connections fail with SSLHandshakeException: no cipher suites in common in DS 5 and OpenDJ 3.x

Last updated Apr 8, 2021

The purpose of this article is to provide assistance if ldapsearch fails with a " no cipher suites in common" error in DS/OpenDJ when connecting via LDAPS if you are using Java® 7.


This article has been archived and is no longer maintained by ForgeRock.


The following error is shown when searching using the ldapsearch command if you are connecting to DS/OpenDJ via LDAPS: Socket Closed at at at at at at Cannot send the simple bind request: SSLHandshakeException(Remote host closed connection during handshake) Result Code: 81 (Server Connection Closed)

An error similar to the following is shown in the DS/OpenDJ access log when the above error is received:

[21/Sep/2014:10:07:52 +0200] DISCONNECT conn=9359 reason="I/O Error" msg="An IO error occurred while reading a request from the client: no cipher suites in common"

Recent Changes

Upgraded to Java 7 (pre-update 51).

Configured LDAPS (LDAP/SSL) between the client and the server.


The SSL error is caused by the client failing to encode the SSL handshake protocol properly; the no cipher suites in common relates to the client offering cipher suites that are not supported by the server.

This issue occurs when using DH (Diffie-Hellman) based cipher suites (such as: TLS_DHE_RSA_WITH_AES_128_CBC_SHA) and is a known Java 7 issue: JDK-8014618 : Need to strip leading zeros in TlsPremasterSecret of DHKeyAgreement

You can check which cipher suites are being used by performing a simple search for "supportedTLSCiphers supportedTLSProtocols" as described in Administration Guide › To List Protocols and Cipher Suites.


This issue can be resolved by upgrading to at least Java 7u51 or by using non-DH cipher suites.

To use non-DH cipher suites:

You can either configure your client to use non-DH cipher suites or configure the LDAPS connection handler in DS/OpenDJ to offer a limited set of cipher suites using the dsconfig set-connection-handler-prop command.

For example, to permit TLS_RSA_WITH_AES_128_CBC_SHA and SSL_RSA_WITH_RC4_128_SHA cipher suites, you would use a command similar to the following:

$ ./dsconfig set-connection-handler-prop --hostname --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --handler-name "LDAPS Connection Handler" --add ssl-cipher-suite:TLS_EMPTY_RENEGOTIATION_INFO_SCSV --add ssl-cipher-suite:TLS_RSA_WITH_AES_128_CBC_SHA --add ssl-cipher-suite:SSL_RSA_WITH_RC4_128_SHA -n -X

The TLS_EMPTY_RENEGOTIATION_INFO_SCSV cipher suite is a special cipher suite used by Java and should always be included.

See Also

FAQ: SSL certificate management in DS 6.x

Invalid Padding length error when attempting to connect to DS 5 or OpenDJ 3.x via LDAPS

How do I troubleshoot connection via LDAPS issues in DS (All versions)?

How do I prevent the use of weak SSL cipher suites on the DS (All versions) administration port?

How do I prevent the use of weak SSL cipher suites on the DS (All versions) replication port?


Configuration Reference › LDAP Connection Handler

OpenDJ: Troubleshooting LDAP SSL connections

Related Training


Related Issue Tracker IDs


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.