Wessel, Keith
2014-10-15 19:30:04 UTC
Hi, all,
Our AD folks just turned off SSLv3 support on our AD LDAPS service. Shib didn't like it.
13:44:08.766 - ERROR [edu.vt.middleware.ldap.pool.DefaultLdapFactory:109] [session=296a318ae3b59564bf94f8fb50fee6ef4a93ecd3716f7574556b0a6715c65b97]
- unabled to connect to the ldap
javax.naming.ServiceUnavailableException: host.name.removed:636; socket closed
at com.sun.jndi.ldap.Connection.readReply(Connection.java:454) ~[na:1.7.0_60]
at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:364) ~[na:1.7.0_60]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213) ~[na:1.7.0_60]
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740) ~[na:1.7.0_60]
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316) ~[na:1.7.0_60]
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
~[na:1.7.0_60]
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
~[na:1.7.0_60]
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
~[na:1.7.0_60]
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
~[na:1.7.0_60]
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
~[na:1.7.0_60]
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
~[na:1.7.0_60]
at javax.naming.InitialContext.init(InitialContext.java:242) ~[na:1.7.0_60]
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153)
~[na:1.7.0_60]
at edu.vt.middleware.ldap.handler.DefaultConnectionHandler.connectInternal(DefaultConnectionHandler.java:134)
~[vt-ldap-3.3.8.jar:na]
at edu.vt.middleware.ldap.handler.AbstractConnectionHandler.connect(AbstractConnectionHandler.java:156)
~[vt-ldap-3.3.8.jar:na]
at edu.vt.middleware.ldap.AbstractLdap.connect(AbstractLdap.java:1006) ~[vt-ldap-3.3.8.jar:na]
at edu.vt.middleware.ldap.pool.DefaultLdapFactory.create(DefaultLdapFactory.java:106)
[vt-ldap-3.3.8.jar:na]
at edu.vt.middleware.ldap.pool.DefaultLdapFactory.create(DefaultLdapFactory.java:28)
[vt-ldap-3.3.8.jar:na]
at edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapPoolEmptyStrategy.checkOut(LdapPoolEmptyStrategy.java:92)
[shibboleth-common-1.4.2.jar:na]
at edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector.searchLdap(LdapDataConnector.java:367)
[shibboleth-common-1.4.2.jar:na]
at edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector.resolve(LdapDataConnector.java:315)
[shibboleth-common-1.4.2.jar:na]
at edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector.resolve(LdapDataConnector.java:50)
[shibboleth-common-1.4.2.jar:na]
at edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.ContextualDataConnector.resolve(ContextualDataConnector.java:77)
[shibboleth-common-1.4.2.jar:na]
at edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.ContextualDataConnector.resolve(ContextualDataConnector.java:31)
[shibboleth-common-1.4.2.jar:na]
at edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver.resolveDataConnector(ShibbolethAttributeResolver.java:374)
[shibboleth-common-1.4.2.jar:na]
at edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver.resolveDependencies(ShibbolethAttributeResolver.java:410)
[shibboleth-common-1.4.2.jar:na]
at edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver.resolveAttribute(ShibbolethAttributeResolver.java:332)
[shibboleth-common-1.4.2.jar:na]
at edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver.resolveAttributes(ShibbolethAttributeResolver.java:284)
[shibboleth-common-1.4.2.jar:na]
at edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver.resolveAttributes(ShibbolethAttributeResolver.java:131)
[shibboleth-common-1.4.2.jar:na]
at edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAuthority.getAttributes(ShibbolethSAML2AttributeAuthority.java:175)
[shibboleth-common-1.4.2.jar:na]
at edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAuthority.getAttributes(ShibbolethSAML2AttributeAuthority.java:59)
[shibboleth-common-1.4.2.jar:na]
at edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler.resolveAttributes(AbstractSAML2ProfileHandler.java:480)
[shibboleth-identityprovider-2.4.2.jar:na]
at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.completeAuthenticationRequest(SSOProfileHandler.java:307)
[shibboleth-identityprovider-2.4.2.jar:na]
at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:173)
[shibboleth-identityprovider-2.4.2.jar:na]
at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:90)
[shibboleth-identityprovider-2.4.2.jar:na]
at edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet.service(ProfileRequestDispatcherServlet.java:83)
[shibboleth-common-1.4.2.jar:na]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:723) [servlet-api.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
[catalina.jar:6.0.41]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:6.0.41]
at net.clareitysecurity.shibboleth.storage.ClusterFilter.doFilter(ClusterFilter.java:95)
[db-storage-service-1.1.3.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
[catalina.jar:6.0.41]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:6.0.41]
at edu.internet2.middleware.shibboleth.idp.util.NoCacheFilter.doFilter(NoCacheFilter.java:50)
[shibboleth-identityprovider-2.4.2.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
[catalina.jar:6.0.41]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:6.0.41]
at edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:87)
[shibboleth-identityprovider-2.4.2.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
[catalina.jar:6.0.41]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:6.0.41]
at edu.internet2.middleware.shibboleth.common.log.SLF4JMDCCleanupFilter.doFilter(SLF4JMDCCleanupFilter.java:52)
[shibboleth-common-1.4.2.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
[catalina.jar:6.0.41]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:6.0.41]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
[catalina.jar:6.0.41]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
[catalina.jar:6.0.41]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
[catalina.jar:6.0.41]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
[catalina.jar:6.0.41]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
[catalina.jar:6.0.41]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
[catalina.jar:6.0.41]
at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190)
[tomcat-coyote.jar:6.0.41]
at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:311) [tomcat-coyote.jar:6.0.41]
at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:776) [tomcat-coyote.jar:6.0.41]
at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:705)
[tomcat-coyote.jar:6.0.41]
at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:898)
[tomcat-coyote.jar:6.0.41]
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690)
[tomcat-coyote.jar:6.0.41]
at java.lang.Thread.run(Thread.java:745) [na:1.7.0_60]
Socket closed doesn't tell me much, but as soon as they turned SSLv3 back on, things worked again. I did some OpenSSL snooping, and the LDAPS service does seem to support SSLv3 and TLS v1.0/1.1/1.2.
Based on the fairly obvious theory that the IDP is only using SSL v3, are their any ways to make it use TLS v1?
Or might it be something completely different? Should this have still worked?
Keith
Our AD folks just turned off SSLv3 support on our AD LDAPS service. Shib didn't like it.
13:44:08.766 - ERROR [edu.vt.middleware.ldap.pool.DefaultLdapFactory:109] [session=296a318ae3b59564bf94f8fb50fee6ef4a93ecd3716f7574556b0a6715c65b97]
- unabled to connect to the ldap
javax.naming.ServiceUnavailableException: host.name.removed:636; socket closed
at com.sun.jndi.ldap.Connection.readReply(Connection.java:454) ~[na:1.7.0_60]
at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:364) ~[na:1.7.0_60]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213) ~[na:1.7.0_60]
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740) ~[na:1.7.0_60]
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316) ~[na:1.7.0_60]
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
~[na:1.7.0_60]
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
~[na:1.7.0_60]
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
~[na:1.7.0_60]
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
~[na:1.7.0_60]
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
~[na:1.7.0_60]
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
~[na:1.7.0_60]
at javax.naming.InitialContext.init(InitialContext.java:242) ~[na:1.7.0_60]
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153)
~[na:1.7.0_60]
at edu.vt.middleware.ldap.handler.DefaultConnectionHandler.connectInternal(DefaultConnectionHandler.java:134)
~[vt-ldap-3.3.8.jar:na]
at edu.vt.middleware.ldap.handler.AbstractConnectionHandler.connect(AbstractConnectionHandler.java:156)
~[vt-ldap-3.3.8.jar:na]
at edu.vt.middleware.ldap.AbstractLdap.connect(AbstractLdap.java:1006) ~[vt-ldap-3.3.8.jar:na]
at edu.vt.middleware.ldap.pool.DefaultLdapFactory.create(DefaultLdapFactory.java:106)
[vt-ldap-3.3.8.jar:na]
at edu.vt.middleware.ldap.pool.DefaultLdapFactory.create(DefaultLdapFactory.java:28)
[vt-ldap-3.3.8.jar:na]
at edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapPoolEmptyStrategy.checkOut(LdapPoolEmptyStrategy.java:92)
[shibboleth-common-1.4.2.jar:na]
at edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector.searchLdap(LdapDataConnector.java:367)
[shibboleth-common-1.4.2.jar:na]
at edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector.resolve(LdapDataConnector.java:315)
[shibboleth-common-1.4.2.jar:na]
at edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector.resolve(LdapDataConnector.java:50)
[shibboleth-common-1.4.2.jar:na]
at edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.ContextualDataConnector.resolve(ContextualDataConnector.java:77)
[shibboleth-common-1.4.2.jar:na]
at edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.ContextualDataConnector.resolve(ContextualDataConnector.java:31)
[shibboleth-common-1.4.2.jar:na]
at edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver.resolveDataConnector(ShibbolethAttributeResolver.java:374)
[shibboleth-common-1.4.2.jar:na]
at edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver.resolveDependencies(ShibbolethAttributeResolver.java:410)
[shibboleth-common-1.4.2.jar:na]
at edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver.resolveAttribute(ShibbolethAttributeResolver.java:332)
[shibboleth-common-1.4.2.jar:na]
at edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver.resolveAttributes(ShibbolethAttributeResolver.java:284)
[shibboleth-common-1.4.2.jar:na]
at edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver.resolveAttributes(ShibbolethAttributeResolver.java:131)
[shibboleth-common-1.4.2.jar:na]
at edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAuthority.getAttributes(ShibbolethSAML2AttributeAuthority.java:175)
[shibboleth-common-1.4.2.jar:na]
at edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAuthority.getAttributes(ShibbolethSAML2AttributeAuthority.java:59)
[shibboleth-common-1.4.2.jar:na]
at edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler.resolveAttributes(AbstractSAML2ProfileHandler.java:480)
[shibboleth-identityprovider-2.4.2.jar:na]
at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.completeAuthenticationRequest(SSOProfileHandler.java:307)
[shibboleth-identityprovider-2.4.2.jar:na]
at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:173)
[shibboleth-identityprovider-2.4.2.jar:na]
at edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler.processRequest(SSOProfileHandler.java:90)
[shibboleth-identityprovider-2.4.2.jar:na]
at edu.internet2.middleware.shibboleth.common.profile.ProfileRequestDispatcherServlet.service(ProfileRequestDispatcherServlet.java:83)
[shibboleth-common-1.4.2.jar:na]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:723) [servlet-api.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
[catalina.jar:6.0.41]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:6.0.41]
at net.clareitysecurity.shibboleth.storage.ClusterFilter.doFilter(ClusterFilter.java:95)
[db-storage-service-1.1.3.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
[catalina.jar:6.0.41]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:6.0.41]
at edu.internet2.middleware.shibboleth.idp.util.NoCacheFilter.doFilter(NoCacheFilter.java:50)
[shibboleth-identityprovider-2.4.2.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
[catalina.jar:6.0.41]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:6.0.41]
at edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:87)
[shibboleth-identityprovider-2.4.2.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
[catalina.jar:6.0.41]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:6.0.41]
at edu.internet2.middleware.shibboleth.common.log.SLF4JMDCCleanupFilter.doFilter(SLF4JMDCCleanupFilter.java:52)
[shibboleth-common-1.4.2.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
[catalina.jar:6.0.41]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:6.0.41]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
[catalina.jar:6.0.41]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
[catalina.jar:6.0.41]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
[catalina.jar:6.0.41]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
[catalina.jar:6.0.41]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
[catalina.jar:6.0.41]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
[catalina.jar:6.0.41]
at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190)
[tomcat-coyote.jar:6.0.41]
at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:311) [tomcat-coyote.jar:6.0.41]
at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:776) [tomcat-coyote.jar:6.0.41]
at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:705)
[tomcat-coyote.jar:6.0.41]
at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:898)
[tomcat-coyote.jar:6.0.41]
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690)
[tomcat-coyote.jar:6.0.41]
at java.lang.Thread.run(Thread.java:745) [na:1.7.0_60]
Socket closed doesn't tell me much, but as soon as they turned SSLv3 back on, things worked again. I did some OpenSSL snooping, and the LDAPS service does seem to support SSLv3 and TLS v1.0/1.1/1.2.
Based on the fairly obvious theory that the IDP is only using SSL v3, are their any ways to make it use TLS v1?
Or might it be something completely different? Should this have still worked?
Keith