LDAPS client connections fail with SSLHandshakeException: no cipher suites in common in DS 5 and OpenDJ 3.x
The purpose of this article is to provide assistance if ldapsearch fails with a "javax.net.ssl.SSLHandshakeException: no cipher suites in common" error in DS/OpenDJ when connecting via LDAPS if you are using Java® 7.
Archived
This article has been archived and is no longer maintained by ForgeRock.
Symptoms
The following error is shown when searching using the ldapsearch command if you are connecting to DS/OpenDJ via LDAPS:
java.net.SocketException: Socket Closed at java.net.PlainSocketImpl.setOption(PlainSocketImpl.java:201) at java.net.Socket.setSoTimeout(Socket.java:1017) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.setSoTimeout(SSLSocketImpl.java:2107) at org.opends.server.tools.LDAPConnection.connectToHost(LDAPConnection.java:507) at org.opends.server.tools.LDAPSearch.mainSearch(LDAPSearch.java:1777) at org.opends.server.tools.LDAPSearch.main(LDAPSearch.java:580) Cannot send the simple bind request: SSLHandshakeException(Remote host closed connection during handshake) Result Code: 81 (Server Connection Closed)An error similar to the following is shown in the DS/OpenDJ access log when the above error is received:
[21/Sep/2014:10:07:52 +0200] DISCONNECT conn=9359 reason="I/O Error" msg="An IO error occurred while reading a request from the client: javax.net.ssl.SSLHandshakeException: no cipher suites in common"Recent Changes
Upgraded to Java 7 (pre-update 51).
Configured LDAPS (LDAP/SSL) between the client and the server.
Causes
The SSL error is caused by the client failing to encode the SSL handshake protocol properly; the no cipher suites in common relates to the client offering cipher suites that are not supported by the server.
This issue occurs when using DH (Diffie-Hellman) based cipher suites (such as: TLS_DHE_RSA_WITH_AES_128_CBC_SHA) and is a known Java 7 issue: JDK-8014618 : Need to strip leading zeros in TlsPremasterSecret of DHKeyAgreement
You can check which cipher suites are being used by performing a simple search for "supportedTLSCiphers supportedTLSProtocols" as described in Administration Guide › To List Protocols and Cipher Suites.
Solution
This issue can be resolved by upgrading to at least Java 7u51 or by using non-DH cipher suites.
To use non-DH cipher suites:
You can either configure your client to use non-DH cipher suites or configure the LDAPS connection handler in DS/OpenDJ to offer a limited set of cipher suites using the dsconfig set-connection-handler-prop command.
For example, to permit TLS_RSA_WITH_AES_128_CBC_SHA and SSL_RSA_WITH_RC4_128_SHA cipher suites, you would use a command similar to the following:
$ ./dsconfig set-connection-handler-prop --hostname ds1.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --handler-name "LDAPS Connection Handler" --add ssl-cipher-suite:TLS_EMPTY_RENEGOTIATION_INFO_SCSV --add ssl-cipher-suite:TLS_RSA_WITH_AES_128_CBC_SHA --add ssl-cipher-suite:SSL_RSA_WITH_RC4_128_SHA -n -XNote
The TLS_EMPTY_RENEGOTIATION_INFO_SCSV cipher suite is a special cipher suite used by Java and should always be included.
See Also
FAQ: SSL certificate management in DS 6.x
Invalid Padding length error when attempting to connect to DS 5 or OpenDJ 3.x via LDAPS
How do I troubleshoot connection via LDAPS issues in DS (All versions)?
How do I prevent the use of weak SSL cipher suites on the DS (All versions) administration port?
How do I prevent the use of weak SSL cipher suites on the DS (All versions) replication port?
Configuration Reference › LDAP Connection Handler
OpenDJ: Troubleshooting LDAP SSL connections
Related Training
N/A
Related Issue Tracker IDs
N/A