Solutions
Archived

Invalid Padding length error when attempting to connect to DS 5 or OpenDJ 3.x via LDAPS

Last updated Apr 8, 2021

The purpose of this article is to provide assistance if you receive a "javax.net.ssl.SSLHandshakeException: Invalid Padding length" error when attempting to connect to DS/OpenDJ via LDAPS if you are using Java® 7.


Archived

This article has been archived and is no longer maintained by ForgeRock.

Symptoms

The following error is shown intermittently when attempting to connect to DS/OpenDJ via LDAPS:

LDAP local: ldap_simple_bind_s Can't contact LDAP server

An error similar to the following is shown in the DS/OpenDJ log when the above error is received:

[21/Sep/2014:10:07:52 +0200] CONNECT conn=23 from=100.10.0.10:8080 to=100.10.10.10:1636 protocol=LDAPS [21/Sep/2014:10:07:52 +0200] DISCONNECT conn=2 reason="I/O Error" msg="An IO error occurred while reading a request from the client: javax.net.ssl.SSLHandshakeException: Invalid Padding length: 227"

Recent Changes

Upgraded to Java 7.

Configured LDAPS (LDAP/SSL) between the client and the server.

Causes

The SSL error is caused by the client failing to encode the SSL handshake protocol properly; the invalid padding length refers to a block size error occurring when specific block based encryption is used.

This issue occurs when using DH (Diffie-Hellman) based cipher suites (such as: TLS_DHE_RSA_WITH_AES_128_CBC_SHA) and is a known issue on Linux® systems using Java 7: SSL intermittent problem when using DH-based ciphers in Java 7 with Linux although it can affect other operating systems.

You can check which cipher suites are being used by performing a simple search for "supportedTLSCiphers supportedTLSProtocols" as described in Administration Guide › To List Protocols and Cipher Suites.

Solution

This issue can be resolved by upgrading to Java 8 or by using non-DH cipher suites.

To use non-DH cipher suites:

You can either configure your client to use non-DH cipher suites or configure the LDAPS connection handler in DS/OpenDJ to offer a limited set of cipher suites using the dsconfig set-connection-handler-prop command.

For example, to permit TLS_RSA_WITH_AES_128_CBC_SHA and SSL_RSA_WITH_RC4_128_SHA cipher suites, you would use a command similar to the following:

$ ./dsconfig set-connection-handler-prop --hostname ds1.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --handler-name "LDAPS Connection Handler" --add ssl-cipher-suite:TLS_EMPTY_RENEGOTIATION_INFO_SCSV --add ssl-cipher-suite:TLS_RSA_WITH_AES_128_CBC_SHA --add ssl-cipher-suite:SSL_RSA_WITH_RC4_128_SHA -n -X
Note

The TLS_EMPTY_RENEGOTIATION_INFO_SCSV cipher suite is a special cipher suite used by Java and should always be included.

See Also

LDAPS client connections fail with SSLHandshakeException: no cipher suites in common in DS 5 and OpenDJ 3.x

How do I troubleshoot connection via LDAPS issues in DS (All versions)?

How do I prevent the use of weak SSL cipher suites on the DS (All versions) administration port?

How do I prevent the use of weak SSL cipher suites on the DS (All versions) replication port?

SSL in DS

Administration Guide › TLS Protocols and Cipher Suites

Configuration Reference › LDAP Connection Handler

OpenDJ: Troubleshooting LDAP SSL connections

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.