389-console fails to connect with TLSv1.2

Bug #1730039 reported by Chuin Ooi on 2017-11-04
20
This bug affects 3 people
Affects Status Importance Assigned to Milestone
389-console (Ubuntu)
Undecided
Unassigned
jss (Ubuntu)
Undecided
Unassigned

Bug Description

389-console on Ubuntu 17.10 fails to connect to an instance of dirsrv-admin that has been configured to allow only TLSv1.2 connections (389-console on Ubuntu 17.04 works fine against the same instance).

389-console -D 9 debug shows the following error:

CREATE JSS SSLSocket
Unable to create ssl socket
org.mozilla.jss.ssl.SSLSocketException: SSL_VersionRangeSetDefault() for variant=0 with min=768 max=770 out of range (769:772): 0: (0) Unknown error
 at org.mozilla.jss.ssl.SSLSocket.setSSLVersionRangeDefault(Native Method)
 at org.mozilla.jss.ssl.SSLSocket.setSSLVersionRangeDefault(SSLSocket.java:1398)
 at com.netscape.management.client.comm.HttpsChannel.open(Unknown Source)
 at com.netscape.management.client.comm.CommManager.send(Unknown Source)
 at com.netscape.management.client.comm.HttpManager.get(Unknown Source)
 at com.netscape.management.client.console.Console.invoke_task(Unknown Source)
 at com.netscape.management.client.console.Console.authenticate_user(Unknown Source)
 at com.netscape.management.client.console.Console.<init>(Unknown Source)
 at com.netscape.management.client.console.Console.main(Unknown Source)

Downgrading the libjss-java package to version 4.3.1-7build1 from Ubuntu 17.04 fixes the problem.

tags: added: artful
Antti Palsola (antti.palsola) wrote :

This is also happening to me with Ubuntu 18.04 (bionic):

$ 389-console -D 9 -x nologo -u "cn=directory manager" -a https://<servername>:9830
---- [clip] ----
CommManager> New CommRecord (https://<servername>:9830/admin-serv/authenticate)
ResourceSet: found in cache loader501263526:com.netscape.management.client.theme.theme
ResourceSet: NOT found in cache loader501263526:com.netscape.management.client.comm.HttpsChannel
CREATE JSS SSLSocket
Unable to create ssl socket
org.mozilla.jss.ssl.SSLSocketException: SSL_VersionRangeSetDefault() for variant=0 with min=768 max=770 out of range (769:772): 0: (0) Unknown error
 at org.mozilla.jss.ssl.SSLSocket.setSSLVersionRangeDefault(Native Method)
 at org.mozilla.jss.ssl.SSLSocket.setSSLVersionRangeDefault(SSLSocket.java:1398)
 at com.netscape.management.client.comm.HttpsChannel.open(Unknown Source)
 at com.netscape.management.client.comm.CommManager.send(Unknown Source)
 at com.netscape.management.client.comm.HttpManager.get(Unknown Source)
 at com.netscape.management.client.console.Console.invoke_task(Unknown Source)
 at com.netscape.management.client.console.Console.authenticate_user(Unknown Source)
 at com.netscape.management.client.console.Console.<init>(Unknown Source)
 at com.netscape.management.client.console.Console.main(Unknown Source)
---- [clip] ----

389-console does not even try to connect to the server. (I verified that with Wireshark.)

tags: added: bionic
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in jss (Ubuntu):
status: New → Confirmed
Changed in 389-console (Ubuntu):
status: New → Confirmed
Larry Prikockis (lprikockis) wrote :

I'm still running into this problem on 18.04.2 LTS. Is there some fix/workaround other than downgrading to an old version of java? for a variety of other reasons, that's not an option for me.

Timo Aaltonen (tjaalton) wrote :

389-console is gone from the distro since 18.10

Changed in jss (Ubuntu):
status: Confirmed → Invalid
Changed in 389-console (Ubuntu):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers