| |
AuthenticationException: The server did not receive any credentials via TLS |
|
|
Subject: AuthenticationException: The server did not receive any credentials via TLS
Author: authen
In response to: CertificateException: No subject alternative DNS name found
Posted on: 07/03/2007 07:27:50 PM
An implicit authorization identity assertion is accomplished after TLS establishment by invoking a Bind request of the SASL form using the "EXTERNAL" mechanism. The server will derive the client's authorization identity from the authentication identity supplied in the client's certificate. In that sense, the client's certificate setting as shown below is the MUST for "EXTERNAL" implicit assertion to work.
System.setProperty("javax.net.ssl.keyStore", "myKey.pfx");
System.setProperty("javax.net.ssl.keyStoreType", "pkcs12");
System.setProperty("javax.net.ssl.keyStorePassword", "secret");
Otherwise, you would get somethings like this: javax.naming.AuthenticationException: [LDAP: error code 49 - 8009030C: LdapErr: DSID-0C09048B, comment: The server did not receive any credentials via TLS, data 0, vece]; remaining name 'uid=jdoe,cn=vip,dc=domain,dc=com'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3005)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2951)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2753)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2667)
at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2566)
at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2540)
at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1905)
at com.sun.jndi.ldap.LdapCtx.doSearchOnce(LdapCtx.java:1897)
at com.sun.jndi.ldap.LdapCtx.c_getAttributes(LdapCtx.java:1290)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(ComponentDirContext.java:213)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:121)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:109)
at javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:123)
at javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:118)
>
> On 07/03/2007 07:13:57 PM authen wrote:
In order to prevent man-in-the-middle attacks, the client MUST use the server hostname as expressed in the server's certificate, which is also referred to subject and is, most likely, in form of full NDS name.
env.put(Context.PROVIDER_URL, "ldap://myServerInDnsFullName:389");
Otherwise, you would get somethings like this:
javax.net.ssl.SSLPeerUnverifiedException: hostname of the server 'myServer' does not match the hostname in the server's certificate.
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.verify(StartTlsResponseImpl.java:437)
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:216)
at com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:161)
at com.rli.slapd.client.ExternalTSLJndiClient.main(ExternalTSLJndiClient.java:122)
Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching myServe found.
at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:193)
at sun.security.util.HostnameChecker.match(HostnameChecker.java:77)
... 3 more
References:
|
|
|
|
