Skip to content

LDAPS flow ignores configured truststore and fails with CERTIFICATE_UNKNOWN error #882

New issue
Jump to bottom
New issue
Jump to bottom
Open
Open
LDAPS flow ignores configured truststore and fails with CERTIFICATE_UNKNOWN error#882
@prthakre

Description

@prthakre
prthakre
opened on Jun 12, 2024

We are trying to use LDAPS with TLS over port 636, this however results in failure.
javax.net.debug system property is set to "ssl:handshake:verbose:keymanager:trustmanager" for debugging.

DefaultTlsDirContextAuthenticationStrategy is configured using a custom SSLSocketFactory with a custom truststore.

The custom truststore is correctly picked up during configuration:
[javax.net](http://javax.net/).ssl|DEBUG|10|main|X509TrustManagerImpl.java:82|adding as trusted certificates (

But, is quickly over-written with default cacerts

javax.net.ssl|DEBUG|93|XNIO-1 task-1|TrustStoreManager.java:113|trustStore is: /Library/Java/JavaVirtualMachines/temurin-21.jdk/Contents/Home/lib/security/cacerts trustStore type is: pkcs12

And, this finally results in failure:
javax.net.ssl|DEBUG|D3|XNIO-1 task-1|2024-06-12 09:48:37.369 IST|CertificateMessage.java:1135|Consuming server Certificate handshake message ( "Certificate": { "certificate_request_context": "", "certificate_list":

javax.net.ssl|DEBUG|93|XNIO-1 task-1|CertificateMessage.java:1135|Consuming server Certificate handshake message ( "Certificate": { "certificate_request_context": "", "certificate_list": [ { "certificate" : { "version" : "v3",

javax.net.ssl|ERROR|93|XNIO-1 task-1|TransportContext.java:370|Fatal (CERTIFICATE_UNKNOWN): PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (

The same code/configuration works with STARTTLS over port 389 and the only difference being that the custom truststore is not being over-written.
javax.net.ssl|DEBUG|10|main|2024-06-12 09:50:06.124 IST|X509TrustManagerImpl.java:82|adding as trusted certificates ( "certificate" : {

javax.net.ssl|DEBUG|D3|XNIO-1 task-1|CertificateMessage.java:1135|Consuming server Certificate handshake message ( "Certificate": { "certificate_request_context": "", "certificate_list": [

javax.net.ssl|DEBUG|D3|XNIO-1 task-1|X509TrustManagerImpl.java:246|Found trusted certificate ( "certificate" : {

Version information:
JDK: 21
spring-boot: 3.3.0
spring-ldap: 3.2.3

Also, native-pooling is disabled.

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions