DA LDAP on Port 636 error

HCL Domino Domino Forum
1

Hi all,

Our Domino server wants to browse user directory on partner orgaization using LDAP. Partner is also using Domino. SSL is mandatory.

Steps performed:

  1. Firewall opened

— A third party LDAP browser (on same machine as Domino server) can successfully connect to partner organization using SSL on port 636 and we browser the directory

  1. Root Certficate from partner extracted using openssl

— C:\Temp>openssl.exe s_client -connect 10.10.10.1:636 >> cert_partner.pem

Output from openssl (but it will create a PEM file which will contain the certificate)
depth=2 C = US, O = “thawte, Inc.”, OU = Certification Services Division, OU = "
(c) 2006 thawte, Inc. - For authorized use only", CN = thawte Primary Root CA
verify error:num=19:self signed certificate in certificate chain
read:errno=10093

  1. This certificated imported into KYR-file as Signer

— We used ikeyman to put this into the KYR-file which is specified into server document, then server was restarted

  1. Created a DA Document

— All tests in DA documents works except the “Verify”-button next to “Which Search Filter To Use”, here the error is "Unexpected error - ‘java.lang.NullpointerException’. But I read the the wizard in DA is not the same as what domino actually will use, so ignoring this for now

  1. This comes in the server console after reboot of server
    set config debug_ssl_all=3 2015-05-20 20:47:30 Error attempting to access the Directory *[10.10.10.1]:636 (no available alternatives), error is LDAP Server is NOT available. 2015-05-20 20:47:30,29 [12C4:0004-15C4] SSLCheckCertChain> Invalid certificate chain received Cert Chain Evaluation Status: err: 5950, Certificate is expired or not yet valid 2015-05-20 20:47:30,29 [12C4:0004-15C4] int_MapSSLError> Mapping SSL error 0 to 0 2015-05-20 20:47:30,29 [12C4:0004-15C4] SSL_Handshake> Enter 2015-05-20 20:47:30,29 [12C4:0004-15C4] SSL_Handshake> Current Cipher 0x0000 (Unknown Cipher) 2015-05-20 20:47:30,29 [12C4:0004-15C4] SSL_Handshake> SSL Undetermined attempt 2015-05-20 20:47:30,29 [12C4:0004-15C4] S_Write> Enter len = 45 2015-05-20 20:47:30,29 [12C4:0004-15C4] SSL_Xmt> 00000000: 80 2B 01 03 00 00 12 00 00 00 10 00 00 04 00 00 ‘.+…’ 2015-05-20 20:47:30,29 [12C4:0004-15C4] SSL_Xmt> 00000010: 05 00 00 2F 00 00 35 00 00 0A 01 00 80 9F B9 65 ‘…/…5…9e’ 2015-05-20 20:47:30,29 [12C4:0004-15C4] SSL_Xmt> 00000020: F8 54 01 02 4D FB CE 34 10 DC B2 AE C3 ‘xT…M{N4.\2.C’ 2015-05-20 20:47:30,29 [12C4:0004-15C4] S_Write> Switching Endpoint to sync 2015-05-20 20:47:30,29 [12C4:0004-15C4] S_Write> Posting a nti_snd for 45 bytes 2015-05-20 20:47:30,29 [12C4:0004-15C4] SSL_EncryptData> SSL not init exit 2015-05-20 20:47:30,29 [12C4:0004-15C4] S_Write> Switching Endpoint to async 2015-05-20 20:47:30,29 [12C4:0004-15C4] SSL_EncryptDataCleanup> SSL not init exit 2015-05-20 20:47:30,29 [12C4:0004-15C4] S_Write> nti_done return 45 bytes rc = 0 2015-05-20 20:47:30,29 [12C4:0004-15C4] S_Write> Exit, wrote 45 bytes 2015-05-20 20:47:30,29 [12C4:0004-15C4] S_Read> Enter len = 1 2015-05-20 20:47:30,29 [12C4:0004-15C4] S_Read> Switching Endpoint to sync 2015-05-20 20:47:30,29 [12C4:0004-15C4] S_Read> Posting a nti_rcv for 1 bytes 2015-05-20 20:47:30,29 [12C4:0004-15C4] SSL_RcvSetup> SSL not init exit 2015-05-20 20:47:30,31 [12C4:0004-15C4] S_Read> Switching Endpoint to async 2015-05-20 20:47:30,31 [12C4:0004-15C4] S_Read> nti_done return 0 bytes rc = 9 2015-05-20 20:47:30,31 [12C4:0004-15C4] S_Read> nti_done return 0 bytes rc = 9 Event = 0x100 2015-05-20 20:47:30,31 [12C4:0004-15C4] SSL_Handshake> After handshake state= 2 Status= -6989 2015-05-20 20:47:30,31 [12C4:0004-15C4] SSL_Handshake> Exit Status = -6989 2015-05-20 20:47:30,31 [12C4:0004-15C4] int_MapSSLError> Mapping SSL error -6989 to 4165 Checking keyfile certificates: 2015-05-20 20:47:30,35 [12C4:0004-15C4] SSLCheckCertChain> Invalid certificate chain received Cert Chain Evaluation Status: err: 5950, Certificate is expired or not yet valid 2015-05-20 20:47:30,35 [12C4:0004-15C4] int_MapSSLError> Mapping SSL error 0 to 0 2015-05-20 20:47:30,35 [12C4:0004-15C4] SSL_Handshake> Enter 2015-05-20 20:47:30,35 [12C4:0004-15C4] SSL_Handshake> Current Cipher 0x0000 (Unknown Cipher) 2015-05-20 20:47:30,35 [12C4:0004-15C4] SSL_Handshake> SSL Undetermined attempt 2015-05-20 20:47:30,35 [12C4:0004-15C4] S_Write> Enter len = 45 2015-05-20 20:47:30,35 [12C4:0004-15C4] SSL_Xmt> 00000000: 80 2B 01 03 00 00 12 00 00 00 10 00 00 04 00 00 ‘.+…’ 2015-05-20 20:47:30,35 [12C4:0004-15C4] SSL_Xmt> 00000010: 05 00 00 2F 00 00 35 00 00 0A 01 00 80 98 CD D9 ‘…/…5…MY’ 2015-05-20 20:47:30,35 [12C4:0004-15C4] SSL_Xmt> 00000020: 4D BE 68 BE EA 38 CD 71 C0 7A 5A 7C 8B ‘M>h>j8Mq@zZ|.’ 2015-05-20 20:47:30,35 [12C4:0004-15C4] S_Write> Switching Endpoint to sync 2015-05-20 20:47:30,35 [12C4:0004-15C4] S_Write> Posting a nti_snd for 45 bytes 2015-05-20 20:47:30,35 [12C4:0004-15C4] SSL_EncryptData> SSL not init exit 2015-05-20 20:47:30,35 [12C4:0004-15C4] S_Write> Switching Endpoint to async 2015-05-20 20:47:30,35 [12C4:0004-15C4] SSL_EncryptDataCleanup> SSL not init exit 2015-05-20 20:47:30,35 [12C4:0004-15C4] S_Write> nti_done return 45 bytes rc = 0 2015-05-20 20:47:30,35 [12C4:0004-15C4] S_Write> Exit, wrote 45 bytes 2015-05-20 20:47:30,35 [12C4:0004-15C4] S_Read> Enter len = 1 2015-05-20 20:47:30,35 [12C4:0004-15C4] S_Read> Switching Endpoint to sync 2015-05-20 20:47:30,35 [12C4:0004-15C4] S_Read> Posting a nti_rcv for 1 bytes 2015-05-20 20:47:30,35 [12C4:0004-15C4] SSL_RcvSetup> SSL not init exit 2015-05-20 20:47:30,37 [12C4:0004-15C4] S_Read> Switching Endpoint to async 2015-05-20 20:47:30,37 [12C4:0004-15C4] S_Read> nti_done return 0 bytes rc = 9 2015-05-20 20:47:30,37 [12C4:0004-15C4] S_Read> nti_done return 0 bytes rc = 9 Event = 0x100 2015-05-20 20:47:30,37 [12C4:0004-15C4] SSL_Handshake> After handshake state= 2 Status= -6989 2015-05-20 20:47:30,37 [12C4:0004-15C4] SSL_Handshake> Exit Status = -6989 2015-05-20 20:47:30,37 [12C4:0004-15C4] int_MapSSLError> Mapping SSL error -6989 to 4165 Checking keyfile certificates: 2015-05-20 20:47:30,42 [12C4:0004-15C4] SSLCheckCertChain> Invalid certificate chain received Cert Chain Evaluation Status: err: 5950, Certificate is expired or not yet valid 2015-05-20 20:47:30,42 [12C4:0004-15C4] int_MapSSLError> Mapping SSL error 0 to 0 2015-05-20 20:47:30,42 [12C4:0004-15C4] SSL_Handshake> Enter 2015-05-20 20:47:30,42 [12C4:0004-15C4] SSL_Handshake> Current Cipher 0x0000 (Unknown Cipher) 2015-05-20 20:47:30,42 [12C4:0004-15C4] SSL_Handshake> SSL Undetermined attempt 2015-05-20 20:47:30,42 [12C4:0004-15C4] S_Write> Enter len = 45 2015-05-20 20:47:30,42 [12C4:0004-15C4] SSL_Xmt> 00000000: 80 2B 01 03 00 00 12 00 00 00 10 00 00 04 00 00 ‘.+…’ 2015-05-20 20:47:30,42 [12C4:0004-15C4] SSL_Xmt> 00000010: 05 00 00 2F 00 00 35 00 00 0A 01 00 80 C9 7C 3C ‘…/…5…I|<’ 2015-05-20 20:47:30,42 [12C4:0004-15C4] SSL_Xmt> 00000020: FC 00 E2 73 ED 09 B7 C0 BA 41 F3 0A 27 ‘|.bsm.7@:As.’’ 2015-05-20 20:47:30,42 [12C4:0004-15C4] S_Write> Switching Endpoint to sync 2015-05-20 20:47:30,42 [12C4:0004-15C4] S_Write> Posting a nti_snd for 45 bytes 2015-05-20 20:47:30,42 [12C4:0004-15C4] SSL_EncryptData> SSL not init exit 2015-05-20 20:47:30,42 [12C4:0004-15C4] S_Write> Switching Endpoint to async 2015-05-20 20:47:30,42 [12C4:0004-15C4] SSL_EncryptDataCleanup> SSL not init exit 2015-05-20 20:47:30,42 [12C4:0004-15C4] S_Write> nti_done return 45 bytes rc = 0 2015-05-20 20:47:30,42 [12C4:0004-15C4] S_Write> Exit, wrote 45 bytes 2015-05-20 20:47:30,42 [12C4:0004-15C4] S_Read> Enter len = 1 2015-05-20 20:47:30,42 [12C4:0004-15C4] S_Read> Switching Endpoint to sync 2015-05-20 20:47:30,42 [12C4:0004-15C4] S_Read> Posting a nti_rcv for 1 bytes 2015-05-20 20:47:30,42 [12C4:0004-15C4] SSL_RcvSetup> SSL not init exit 2015-05-20 20:47:30,43 [12C4:0004-15C4] S_Read> Switching Endpoint to async 2015-05-20 20:47:30,43 [12C4:0004-15C4] S_Read> nti_done return 0 bytes rc = 9 2015-05-20 20:47:30,43 [12C4:0004-15C4] S_Read> nti_done return 0 bytes rc = 9 Event = 0x100 2015-05-20 20:47:30,43 [12C4:0004-15C4] SSL_Handshake> After handshake state= 2 Status= -6989 2015-05-20 20:47:30,43 [12C4:0004-15C4] SSL_Handshake> Exit Status = -6989 2015-05-20 20:47:30,43 [12C4:0004-15C4] int_MapSSLError> Mapping SSL error -6989 to 4165 2015-05-20 20:47:31 Error attempting to access the Directory *[10.10.10.1]:636 (no available alternatives), error is LDAP Server is NOT available.

Any ideas???

2

Subject: Certificate

Thanks all for the help, I will try them out, during this week.

  • Domino (LDAP Client) is version 9.0.1 FP2 on Windows. The LDAP server I do not know which Domino version.

  • I did import the ldap client root-cert into cacerts. But I have not put it into Domino Directory.

  • Did did select “Accept expired certificates” in the DA config.

  • The Domino (ldap client) server have an expired cert

  • The LDAP server have a valid certificate

3

Subject: Version

Hi,

which version of Domino is deployed on your server and on the ldap site?

Importing the root certifier of the target site is not necessary. When you want to trust a root certifier you have to import it to your domino directory or put it to cacerts within the domino java directory (depends on the service you need to connect).

Regards

Chris

4

Subject: kyrtool to import trusted root

The following contains steps to use the kyrtool.ext to import the trusted root certificate.

Installing and Running the Domino keyring tool
http://www-10.lotus.com/ldd/dominowiki.nsf/dx/kyrtool http://www-10.lotus.com/ldd/dominowiki.nsf/dx/kyrtool

‘import roots’ will import one or more certificates into the keyring file as trusted roots.
The input file must contain one or more ‘-----BEGIN CERTIFICATE-----’ PEM blobs.

5

Subject: Is that all of the output from openssl?

It looks like you hit an error (read:errno=10093), but it’s not clear if you only pasted the first part of the output or if that’s all there was. If it’s the latter, then you didn’t get the certificate. You should see BEGIN CERTIFICATE and END CERTIFICATE in the output, among many other things.

6

Subject: SSLCheckCertChain> Invalid certificate chain received: Cert Chain Evaluation Status: err: 5950, Certificate is expired or not yet valid

Is the LDAP server’s certificate expired or not yet valid?

Is the Domino server’s certificate expired or not yet valid?

7

Subject: solved?

Hi,

Do you have by chance solved this issue?

8

Subject: Update

Here is a late update. I have been dealing with this error on multiple sites.

In this particular case I think it was solved by a notes.ini setting, but I do not know which. Here is a list of settings I have been playing around with LDAP ssl:

Disable_SSLv3=1

SSL_ENABLE_INSECURE_SSLV2_HELLO=1

SSL_DISABLE_TLS_12=1

SSL_ENABLE_INSECURE_RENEGOTIATE=1