This forum is closed to new posts and responses. New discussions are now taking place in the IBM Developer Answers forum.


Nov 23, 2016, 10:16 AM
1 Posts

Certificate error when connecting via LDAP to AD

  • Category: Domino Server
  • Platform: Windows
  • Release: 9.0.1
  • Role:
  • Tags:
  • Replies: 2

Hi,

 

we want to establish an LDAP Connection from our Domino 9.0.1 to our AD on Windows Server 2008 R2.

Then Connection using SSL/TLS can be made via a tool.

When trying to connect from the Domino Server, we get the following error:

 

040C:000F-0A8C] 23.11.2016 15:18:02,29 SSLProcessClientHello> Extension type 0x0023, extension length 0x0000

[040C:000F-0A8C] 23.11.2016 15:18:02,29 SSLProcessClientHello> Processing TLS signature algorithms extension

[040C:000F-0A8C] 23.11.2016 15:18:02,29 SSLProcessClientHello> Client supports hash mask 0x007C; server cert chain has mask 0x0010

[040C:000F-0A8C] 23.11.2016 15:18:02,29 SSLProcessClientHello> Extension type 0x000F, extension length 0x0001

[040C:000F-0A8C] 23.11.2016 15:18:02,29 SSLProcessClientHello> hash/alg in certchain  fSupHasAlg:0000

[040C:000F-0A8C] 23.11.2016 15:18:02,29 SSLProcessClientHello> We selected cipher ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xC030)

[040C:000F-0A8C] 23.11.2016 15:18:02,29 SSLProcessHandshakeMessage Exit> Message: ClientHello (1) State: HandshakeServerIdle (3) Key Exchange: 15 Cipher: ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xC030)

[040C:000F-0A8C] 23.11.2016 15:18:02,29 SSLAdvanceHandshake Enter> Processed: ClientHello (1) State: HandshakeServerIdle (3)

[040C:000F-0A8C] 23.11.2016 15:18:02,29 SSLAdvanceHandshake client_hello> SGC FLAG: 0   Count = 2

[040C:000F-0A8C] 23.11.2016 15:18:02,31 SSLAdvanceHandshake calling SSLPrepareAndQueueMessage> SSLEncodeServerHello

[040C:000F-0A8C] 23.11.2016 15:18:02,31 SSLEncodeServerHello> Sending empty renegotiation_info (0xff01) extension

[040C:000F-0A8C] 23.11.2016 15:18:02,31 SSLEncodeServerHello> Sending supported point formats (0x000b) extension

[040C:000F-0A8C] 23.11.2016 15:18:02,31 SSLAdvanceHandshake calling SSLPrepareAndQueueMessage> SSLEncodeCertificate

[040C:000F-0A8C] 23.11.2016 15:18:02,31 SSLEncodeCertificate> Generating a certificate message with 2 certs

[040C:000F-0A8C] 23.11.2016 15:18:02,31 SSLAdvanceHandshake calling SSLPrepareAndQueueMessage> SSLEncodeServerKeyExchange

[040C:000F-0A8C] 23.11.2016 15:18:02,36 SSLAdvanceHandshake calling SSLPrepareAndQueueMessage> SSLEncodeServerHelloDone

[040C:000F-0A8C] 23.11.2016 15:18:02,36 SSLAdvanceHandshake Exit> State HandshakeClientKeyExchange (11)

[040C:000F-0A8C] 23.11.2016 15:18:02,36 SSL_Handshake> After handshake state = HandshakeClientKeyExchange (11); Status = -5000

[040C:000F-0A8C] 23.11.2016 15:18:02,36 int_MapSSLError> Mapping SSL error -5000 to 4176 [SSLHandshakeNoDone]

 

The process Ends with the message "invalid certificate chain"

What's wrong? Any tipps are appreciated.

 

Best regards,

Andreas

 

Nov 28, 2016, 11:15 AM
94 Posts
There are no errors shown in that log, and those are server-side messages, not client-side...
These lines...

[040C:000F-0A8C] 23.11.2016 15:18:02,29 SSLProcessClientHello> Processing TLS signature algorithms extension

[040C:000F-0A8C] 23.11.2016 15:18:02,29 SSLProcessClientHello> Client supports hash mask 0x007C; server cert chain has mask 0x0010

...indicate that your server's certificate chain only uses one hash algorithm, and that algorithm is supported by the connecting client.

This also does not indicate an error...

[040C:000F-0A8C] 23.11.2016 15:18:02,29 SSLProcessHandshakeMessage Exit> Message: ClientHello (1) State: HandshakeServerIdle (3) Key Exchange: 15 Cipher: ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xC030)

... nor does this line:

[040C:000F-0A8C] 23.11.2016 15:18:02,36 int_MapSSLError> Mapping SSL error -5000 to 4176 [SSLHandshakeNoDone]

"SSLHandshakeNoDone" just means that the handshake hasn't completed yet.

However, I note that you also stated, "When trying to connect from the Domino Server, we get the following error". The trace that you included is a server-side trace, not a client-side trace, so isn't related to the Domino server connecting as an SSL/TLS client outbound over LDAP to an AD server. The sequence messages that you're looking for would start with  "SSLEncodeClientHello", not "SSLProcessClientHello".


This forum is closed to new posts and responses. New discussions are now taking place in the IBM Developer Answers forum.