how to get ldap certificate bypass the mutual certification using Java

manpreet Best Answer 2 years ago

I'm writing a project that could get Ldap certificate from a remote server. It works fine for the general mode when the server does not require mutual certification. But when I try a server that requires mutual certification, it fails. Here is the code:

    String serverSpec = null;
    boolean enableAnonSuites = false;
    boolean isTracing = false;

    // Try and parse command line arguments.
    try {

        serverSpec = "ldap://10.47.16.60:389";
    }

    catch (Exception e) {
        trace(true,e.toString());
        usage();
        return;
    }

    try {

        // Create a SocketFactory that will be given to LDAP for 
        // building SSL sockets
        MySocketFactory msf = new MySocketFactory(isTracing,
                enableAnonSuites);

        // Set up environment for creating initial context
        Hashtable env = new Hashtable(11);
        env.put(Context.INITIAL_CONTEXT_FACTORY, 
                "com.sun.jndi.ldap.LdapCtxFactory");


        // Must use the name of the server that is found in its certificate
        env.put(Context.PROVIDER_URL, 
                serverSpec
                );

        // Create initial context
        trace(isTracing,"Creating new Ldapcontext");
        LdapContext ctx = new InitialLdapContext(env, null);

        // Start 
        trace(isTracing,"Performing StartTlsRequest");
        StartTlsResponse tls = null;

        try {
            tls = (StartTlsResponse)ctx.extendedOperation(new StartTlsRequest());
        }
        catch (NamingException e) {
            trace(true,"Unable to establish SSL connection:\n"
                    +e);
            return;
        }


        // The default JSSE implementation will compare the hostname of
        // the server with the hostname in the server's certificate, and
        // will not proceed unless they match.  To override this behaviour,
        // you have to provide your own HostNameVerifier object.  The 
        // example below simply bypasses the check

        tls.setHostnameVerifier(new HostnameVerifier() {
            public boolean verify(String hostname, SSLSession session) 
            {
                return true;
            }
        });
        // Negotiate SSL on the connection using our own SocketFactory
        trace(isTracing,"Negotiating SSL");
        SSLSession sess = null;
        sess = tls.negotiate(msf);

        X509Certificate[] cert = sess.getPeerCertificateChain();

The exception information is as follows: "javax.net.ssl.SSLException: Received fatal alert: internal error", and it happens at the "negotiate" method. And I analyzed the wireshark trace information and am sure this is because the server requires mutual certification. Right now, I'm wondering if there are certain class that is in the com.sun.jndi.ldap package that could be useful for this problem. Could anyone help?

manpreet 2 years ago