users@glassfish.java.net

SSL Client Certificate Error with v3 but not v2 using LDAPS

From: Kevin Schmidt <ktschmidt_at_gmail.com>
Date: Wed, 26 Sep 2012 22:22:09 -0700

Hi,

I have an application running in GlassFIsh that makes a connection to an
LDAP server using SSL and it works fine in GlassFish v2, but in v3 the SSL
handshake fails with the LDAP server reporting this error:

[25/Sep/2012:20:16:09 -0400] conn=8346156 op=-1 msgId=-1 - fd=69 slot=69
LDAPS connection from 10.171.11.11:47721 to 10.178.23.133
[25/Sep/2012:20:16:09 -0400] conn=8346156 op=-1 msgId=-1 - SSL error-8156
(Issuer certificate is invalid.); unauthenticated client
CN=sigma,OU=GlassFish,O=Oracle Corporation,L=Santa
Clara,ST=California,C=US; issuer CN=sigma,OU=GlassFish,O=Oracle
Corporation,L=Santa Clara,ST=California,C=US

The LDAP server is not configured to require client certificate
authentication, so I'm confused as to why a client certificate is being
sent? My understanding of the handshake is that it would only be sent if
the server requests it which it isn't doing.

Did something change between v2 and v3 in how the SSL handshake is done for
clients running in GlassFish and connecting to a resource using SSL? Is
there certain configuration that I need to check or verify in v3 that may
have defaulted to what works in v2 but not v3?

Thanks,

KEvin