LDAPS flow ignores configured truststore and fails with CERTIFICATE_UNKNOWN error

Question

LDAPS flow ignores configured truststore and fails with CERTIFICATE_UNKNOWN error

prthakre opened this issue 7 months ago · 0 comments

We are trying to use LDAPS with TLS over port 636, this however results in failure.
javax.net.debug system property is set to "ssl:handshake:verbose:keymanager:trustmanager" for debugging.

DefaultTlsDirContextAuthenticationStrategy is configured using a custom SSLSocketFactory with a custom truststore.

But, is quickly over-written with default cacerts

And, this finally results in failure:
javax.net.ssl|DEBUG|D3|XNIO-1 task-1|2024-06-12 09:48:37.369 IST|CertificateMessage.java:1135|Consuming server Certificate handshake message ( "Certificate": { "certificate_request_context": "", "certificate_list":

javax.net.ssl|DEBUG|93|XNIO-1 task-1|CertificateMessage.java:1135|Consuming server Certificate handshake message ( "Certificate": { "certificate_request_context": "", "certificate_list": [ { "certificate" : { "version" : "v3",

The same code/configuration works with STARTTLS over port 389 and the only difference being that the custom truststore is not being over-written.
javax.net.ssl|DEBUG|10|main|2024-06-12 09:50:06.124 IST|X509TrustManagerImpl.java:82|adding as trusted certificates ( "certificate" : {

javax.net.ssl|DEBUG|D3|XNIO-1 task-1|CertificateMessage.java:1135|Consuming server Certificate handshake message ( "Certificate": { "certificate_request_context": "", "certificate_list": [

javax.net.ssl|DEBUG|D3|XNIO-1 task-1|X509TrustManagerImpl.java:246|Found trusted certificate ( "certificate" : {

Version information:
JDK: 21
spring-boot: 3.3.0
spring-ldap: 3.2.3

Also, native-pooling is disabled.