[Seasar-user:13154] tomcat 上で s2directory の利用

Ryuusei Murakami [E-MAIL ADDRESS DELETED]
2008年 3月 5日 (水) 13:55:58 JST


お世話になります、むらかみと申します

Web経由でのLDAP認証を行うべく s2directory 0.6 を利用して
ApacheDS 1.0.2(ldaps) へ接続しようとしているのですが、
org.seasar.directory.impl.PermissiveSSLSocketFactory
を利用しても SSL 接続できないでいます。
# non-SSL なら問題なく接続できます

環境:
s2 2.4.20
s2directory 0.6
tomcat 5.5 (non-ssl)
apacheDS 1.0.2

tomcat を介せずに s2directory を使った java アプリケーションでは
問題無く SSL 接続できるのですが、tomcat を介すと authenticate の際に
BasicDirectoryHandler の NamingException を拾って false になるようです。
apacheDS 側のログを見ると handshake 途中でこけているようにも
見えるのですが...

このような事象に出会った方いらっしゃいますでしょうか ?

---
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340]  doHandshake()
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340]   initialHandshakeStatus=NEED_UNWRAP
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340]  unwrapHandshake()
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340]    inNetBuffer:
java.nio.DirectByteBuffer[pos=0 lim=0 cap=16665]
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340]    appBuffer: java.nio.DirectByteBuffer[pos=0
lim=33330 cap=33330]
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340]  Unwrap res:Status = BUFFER_UNDERFLOW
HandshakeStatus = NEED_UNWRAP
bytesConsumed = 0 bytesProduced = 0
[org.apache.mina.filter.executor.ExecutorFilter] - Launching thread for
/192.168.xxx.yyy:3340
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340]  Data Read:
[E-MAIL ADDRESS DELETED] (DirectBuffer[pos=0
lim=100 cap=8192: 80 62 01 03 01 00 39 00 00 00 20 00 00 04 01 00 80 00
00 05 00 00 2F 00 00 33 00 00 32 00 00 0A 07 00 C0 00 00 16 00 00 13 00
00 09 06 00 40 00 00 15 00 00 12 00 00 03 02 00 80 00 00 08 00 00 14 00
00 11 47 CE 1F C6 A1 AA 22 07 03 24 09 27 EC 7B 3A 9D EF BC A8 F2 03 E0
76 EE 64 74 D6 83 A8 E8 A5 6F])
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340]  doHandshake()
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340]   initialHandshakeStatus=NEED_UNWRAP
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340]  unwrapHandshake()
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340]    inNetBuffer:
java.nio.DirectByteBuffer[pos=0 lim=100 cap=16665]
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340]    appBuffer: java.nio.DirectByteBuffer[pos=0
lim=33330 cap=33330]
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340]  Unwrap res:Status = OK HandshakeStatus =
NEED_TASK
bytesConsumed = 100 bytesProduced = 0
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340]   initialHandshakeStatus=NEED_TASK
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340]    doTasks()
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340]     doTask:
com.sun.net.ssl.internal.ssl.Handshaker$[E-MAIL ADDRESS DELETED]
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340]    doTasks(): NEED_WRAP
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340]   initialHandshakeStatus=NEED_WRAP
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340]  Wrap res:Status = OK HandshakeStatus =
NEED_UNWRAP
bytesConsumed = 0 bytesProduced = 557
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340]  write outNetBuffer:
java.nio.DirectByteBuffer[pos=0 lim=557 cap=16665]
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340]  session write: DirectBuffer[pos=0 lim=557
cap=1024: (snip...)]
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340]  Filtered Write:
[E-MAIL ADDRESS DELETED]
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340]    already encrypted: DirectBuffer[pos=0
lim=557 cap=1024: (snip...)]
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340]   initialHandshakeStatus=NEED_UNWRAP
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340]  unwrapHandshake()
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340]    inNetBuffer:
java.nio.DirectByteBuffer[pos=0 lim=0 cap=16665]
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340]    appBuffer: java.nio.DirectByteBuffer[pos=0
lim=33330 cap=33330]
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340]  Unwrap res:Status = BUFFER_UNDERFLOW
HandshakeStatus = NEED_UNWRAP
bytesConsumed = 0 bytesProduced = 0
[org.apache.mina.filter.executor.ExecutorFilter] - Exiting since queue
is empty for /192.168.xxx.yyy:3340
[org.apache.mina.filter.executor.ExecutorFilter] - Launching thread for
/192.168.xxx.yyy:3340
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340]  Data Read:
[E-MAIL ADDRESS DELETED] (DirectBuffer[pos=0
lim=7 cap=8192: 15 03 01 00 02 02 0A])
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340]  doHandshake()
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340]   initialHandshakeStatus=NEED_UNWRAP
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340]  unwrapHandshake()
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340]    inNetBuffer:
java.nio.DirectByteBuffer[pos=0 lim=7 cap=16665]
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340]    appBuffer: java.nio.DirectByteBuffer[pos=0
lim=33330 cap=33330]
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340]  Closed:
[E-MAIL ADDRESS DELETED]
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340] Unexpected exception from
SSLEngine.closeInbound().
javax.net.ssl.SSLException: Inbound closed before receiving peer's
close_notify: possible truncation attack?
	at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.closeInbound(Unknown Source)
	at org.apache.mina.filter.support.SSLHandler.destroy(SSLHandler.java:165)
	at org.apache.mina.filter.SSLFilter.sessionClosed(SSLFilter.java:359)
	at
org.apache.mina.common.support.AbstractIoFilterChain.callNextSessionClosed(AbstractIoFilterChain.java:321)
	at
org.apache.mina.common.support.AbstractIoFilterChain.access$900(AbstractIoFilterChain.java:54)
	at
org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.sessionClosed(AbstractIoFilterChain.java:781)
	at
org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java:265)
	at
org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(ExecutorFilter.java:305)
	at
edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:665)
	at
edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:690)
	at java.lang.Thread.run(Unknown Source)
[13:21:26] WARN
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340] Unexpected exception forcing session to close:
sending disconnect notice to client.
javax.net.ssl.SSLHandshakeException: Initial SSL handshake failed.
	at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:425)
	at
org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:362)
	at
org.apache.mina.common.support.AbstractIoFilterChain.access$1200(AbstractIoFilterChain.java:54)
	at
org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:800)
	at
org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java:243)
	at
org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(ExecutorFilter.java:305)
	at
edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:665)
	at
edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:690)
	at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLException: Received fatal alert:
unexpected_message
	at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.recvAlert(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readRecord(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(Unknown Source)
	at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(Unknown Source)
	at javax.net.ssl.SSLEngine.unwrap(Unknown Source)
	at
org.apache.mina.filter.support.SSLHandler.unwrapHandshake(SSLHandler.java:677)
	at org.apache.mina.filter.support.SSLHandler.handshake(SSLHandler.java:494)
	at
org.apache.mina.filter.support.SSLHandler.messageReceived(SSLHandler.java:293)
	at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:393)
	... 8 more
[org.apache.mina.filter.executor.ExecutorFilter] - Exiting since queue
is empty for /192.168.xxx.yyy:3340


-- 
% Ryuusei Murakami / [E-MAIL ADDRESS DELETED]
% http://www.scientia.co.jp/



Seasar-user メーリングリストの案内