LDAPS client connections fail with SSLHandshakeException: no cipher suites in common in DS 5 and OpenDJ 3.x
The purpose of this article is to provide assistance if ldapsearch fails with a "javax.net.ssl.SSLHandshakeException: no cipher suites in common" error in DS/OpenDJ when connecting via LDAPS if you are using Java® 7.
This article has been archived and is no longer maintained by ForgeRock.
The following error is shown when searching using the ldapsearch command if you are connecting to DS/OpenDJ via LDAPS:java.net.SocketException: Socket Closed at java.net.PlainSocketImpl.setOption(PlainSocketImpl.java:201) at java.net.Socket.setSoTimeout(Socket.java:1017) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.setSoTimeout(SSLSocketImpl.java:2107) at org.opends.server.tools.LDAPConnection.connectToHost(LDAPConnection.java:507) at org.opends.server.tools.LDAPSearch.mainSearch(LDAPSearch.java:1777) at org.opends.server.tools.LDAPSearch.main(LDAPSearch.java:580) Cannot send the simple bind request: SSLHandshakeException(Remote host closed connection during handshake) Result Code: 81 (Server Connection Closed)
An error similar to the following is shown in the DS/OpenDJ access log when the above error is received:[21/Sep/2014:10:07:52 +0200] DISCONNECT conn=9359 reason="I/O Error" msg="An IO error occurred while reading a request from the client: javax.net.ssl.SSLHandshakeException: no cipher suites in common"
Upgraded to Java 7 (pre-update 51).
Configured LDAPS (LDAP/SSL) between the client and the server.
The SSL error is caused by the client failing to encode the SSL handshake protocol properly; the no cipher suites in common relates to the client offering cipher suites that are not supported by the server.
This issue occurs when using DH (Diffie-Hellman) based cipher suites (such as: TLS_DHE_RSA_WITH_AES_128_CBC_SHA) and is a known Java 7 issue: JDK-8014618 : Need to strip leading zeros in TlsPremasterSecret of DHKeyAgreement
You can check which cipher suites are being used by performing a simple search for "supportedTLSCiphers supportedTLSProtocols" as described in Administration Guide › To List Protocols and Cipher Suites.
This issue can be resolved by upgrading to at least Java 7u51 or by using non-DH cipher suites.
To use non-DH cipher suites:
You can either configure your client to use non-DH cipher suites or configure the LDAPS connection handler in DS/OpenDJ to offer a limited set of cipher suites using the dsconfig set-connection-handler-prop command.
For example, to permit TLS_RSA_WITH_AES_128_CBC_SHA and SSL_RSA_WITH_RC4_128_SHA cipher suites, you would use a command similar to the following:$ ./dsconfig set-connection-handler-prop --hostname ds1.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --handler-name "LDAPS Connection Handler" --add ssl-cipher-suite:TLS_EMPTY_RENEGOTIATION_INFO_SCSV --add ssl-cipher-suite:TLS_RSA_WITH_AES_128_CBC_SHA --add ssl-cipher-suite:SSL_RSA_WITH_RC4_128_SHA -n -X
The TLS_EMPTY_RENEGOTIATION_INFO_SCSV cipher suite is a special cipher suite used by Java and should always be included.
FAQ: SSL certificate management in DS 6.x
Invalid Padding length error when attempting to connect to DS 5 or OpenDJ 3.x via LDAPS
How do I troubleshoot connection via LDAPS issues in DS (All versions)?
How do I prevent the use of weak SSL cipher suites on the DS (All versions) administration port?
How do I prevent the use of weak SSL cipher suites on the DS (All versions) replication port?
Configuration Reference › LDAP Connection Handler
OpenDJ: Troubleshooting LDAP SSL connections
Related Issue Tracker IDs