Invalid Padding length error when attempting to connect to DS 5 or OpenDJ 3.x via LDAPS
The purpose of this article is to provide assistance if you receive a "javax.net.ssl.SSLHandshakeException: Invalid Padding length" error when attempting to connect to DS/OpenDJ via LDAPS if you are using Java® 7.
Archived
This article has been archived and is no longer maintained by ForgeRock.
Symptoms
The following error is shown intermittently when attempting to connect to DS/OpenDJ via LDAPS:
LDAP local: ldap_simple_bind_s Can't contact LDAP serverAn error similar to the following is shown in the DS/OpenDJ log when the above error is received:
[21/Sep/2014:10:07:52 +0200] CONNECT conn=23 from=100.10.0.10:8080 to=100.10.10.10:1636 protocol=LDAPS [21/Sep/2014:10:07:52 +0200] DISCONNECT conn=2 reason="I/O Error" msg="An IO error occurred while reading a request from the client: javax.net.ssl.SSLHandshakeException: Invalid Padding length: 227"Recent Changes
Upgraded to Java 7.
Configured LDAPS (LDAP/SSL) between the client and the server.
Causes
The SSL error is caused by the client failing to encode the SSL handshake protocol properly; the invalid padding length refers to a block size error occurring when specific block based encryption is used.
This issue occurs when using DH (Diffie-Hellman) based cipher suites (such as: TLS_DHE_RSA_WITH_AES_128_CBC_SHA) and is a known issue on Linux® systems using Java 7: SSL intermittent problem when using DH-based ciphers in Java 7 with Linux although it can affect other operating systems.
You can check which cipher suites are being used by performing a simple search for "supportedTLSCiphers supportedTLSProtocols" as described in Administration Guide › To List Protocols and Cipher Suites.
Solution
This issue can be resolved by upgrading to Java 8 or by using non-DH cipher suites.
To use non-DH cipher suites:
You can either configure your client to use non-DH cipher suites or configure the LDAPS connection handler in DS/OpenDJ to offer a limited set of cipher suites using the dsconfig set-connection-handler-prop command.
For example, to permit TLS_RSA_WITH_AES_128_CBC_SHA and SSL_RSA_WITH_RC4_128_SHA cipher suites, you would use a command similar to the following:
$ ./dsconfig set-connection-handler-prop --hostname ds1.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --handler-name "LDAPS Connection Handler" --add ssl-cipher-suite:TLS_EMPTY_RENEGOTIATION_INFO_SCSV --add ssl-cipher-suite:TLS_RSA_WITH_AES_128_CBC_SHA --add ssl-cipher-suite:SSL_RSA_WITH_RC4_128_SHA -n -XNote
The TLS_EMPTY_RENEGOTIATION_INFO_SCSV cipher suite is a special cipher suite used by Java and should always be included.
See Also
How do I troubleshoot connection via LDAPS issues in DS (All versions)?
How do I prevent the use of weak SSL cipher suites on the DS (All versions) administration port?
How do I prevent the use of weak SSL cipher suites on the DS (All versions) replication port?
Administration Guide › TLS Protocols and Cipher Suites
Configuration Reference › LDAP Connection Handler
OpenDJ: Troubleshooting LDAP SSL connections
Related Training
N/A
Related Issue Tracker IDs
N/A