[Seasar-user:13154] tomcat 上で s2directory の利用
Ryuusei Murakami
[E-MAIL ADDRESS DELETED]
2008年 3月 5日 (水) 13:55:58 JST
お世話になります、むらかみと申します
Web経由でのLDAP認証を行うべく s2directory 0.6 を利用して
ApacheDS 1.0.2(ldaps) へ接続しようとしているのですが、
org.seasar.directory.impl.PermissiveSSLSocketFactory
を利用しても SSL 接続できないでいます。
# non-SSL なら問題なく接続できます
環境:
s2 2.4.20
s2directory 0.6
tomcat 5.5 (non-ssl)
apacheDS 1.0.2
tomcat を介せずに s2directory を使った java アプリケーションでは
問題無く SSL 接続できるのですが、tomcat を介すと authenticate の際に
BasicDirectoryHandler の NamingException を拾って false になるようです。
apacheDS 側のログを見ると handshake 途中でこけているようにも
見えるのですが...
このような事象に出会った方いらっしゃいますでしょうか ?
---
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340] doHandshake()
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340] initialHandshakeStatus=NEED_UNWRAP
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340] unwrapHandshake()
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340] inNetBuffer:
java.nio.DirectByteBuffer[pos=0 lim=0 cap=16665]
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340] appBuffer: java.nio.DirectByteBuffer[pos=0
lim=33330 cap=33330]
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340] Unwrap res:Status = BUFFER_UNDERFLOW
HandshakeStatus = NEED_UNWRAP
bytesConsumed = 0 bytesProduced = 0
[org.apache.mina.filter.executor.ExecutorFilter] - Launching thread for
/192.168.xxx.yyy:3340
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340] Data Read:
[E-MAIL ADDRESS DELETED] (DirectBuffer[pos=0
lim=100 cap=8192: 80 62 01 03 01 00 39 00 00 00 20 00 00 04 01 00 80 00
00 05 00 00 2F 00 00 33 00 00 32 00 00 0A 07 00 C0 00 00 16 00 00 13 00
00 09 06 00 40 00 00 15 00 00 12 00 00 03 02 00 80 00 00 08 00 00 14 00
00 11 47 CE 1F C6 A1 AA 22 07 03 24 09 27 EC 7B 3A 9D EF BC A8 F2 03 E0
76 EE 64 74 D6 83 A8 E8 A5 6F])
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340] doHandshake()
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340] initialHandshakeStatus=NEED_UNWRAP
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340] unwrapHandshake()
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340] inNetBuffer:
java.nio.DirectByteBuffer[pos=0 lim=100 cap=16665]
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340] appBuffer: java.nio.DirectByteBuffer[pos=0
lim=33330 cap=33330]
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340] Unwrap res:Status = OK HandshakeStatus =
NEED_TASK
bytesConsumed = 100 bytesProduced = 0
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340] initialHandshakeStatus=NEED_TASK
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340] doTasks()
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340] doTask:
com.sun.net.ssl.internal.ssl.Handshaker$[E-MAIL ADDRESS DELETED]
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340] doTasks(): NEED_WRAP
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340] initialHandshakeStatus=NEED_WRAP
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340] Wrap res:Status = OK HandshakeStatus =
NEED_UNWRAP
bytesConsumed = 0 bytesProduced = 557
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340] write outNetBuffer:
java.nio.DirectByteBuffer[pos=0 lim=557 cap=16665]
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340] session write: DirectBuffer[pos=0 lim=557
cap=1024: (snip...)]
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340] Filtered Write:
[E-MAIL ADDRESS DELETED]
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340] already encrypted: DirectBuffer[pos=0
lim=557 cap=1024: (snip...)]
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340] initialHandshakeStatus=NEED_UNWRAP
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340] unwrapHandshake()
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340] inNetBuffer:
java.nio.DirectByteBuffer[pos=0 lim=0 cap=16665]
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340] appBuffer: java.nio.DirectByteBuffer[pos=0
lim=33330 cap=33330]
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340] Unwrap res:Status = BUFFER_UNDERFLOW
HandshakeStatus = NEED_UNWRAP
bytesConsumed = 0 bytesProduced = 0
[org.apache.mina.filter.executor.ExecutorFilter] - Exiting since queue
is empty for /192.168.xxx.yyy:3340
[org.apache.mina.filter.executor.ExecutorFilter] - Launching thread for
/192.168.xxx.yyy:3340
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340] Data Read:
[E-MAIL ADDRESS DELETED] (DirectBuffer[pos=0
lim=7 cap=8192: 15 03 01 00 02 02 0A])
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340] doHandshake()
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340] initialHandshakeStatus=NEED_UNWRAP
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340] unwrapHandshake()
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340] inNetBuffer:
java.nio.DirectByteBuffer[pos=0 lim=7 cap=16665]
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340] appBuffer: java.nio.DirectByteBuffer[pos=0
lim=33330 cap=33330]
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340] Closed:
[E-MAIL ADDRESS DELETED]
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340] Unexpected exception from
SSLEngine.closeInbound().
javax.net.ssl.SSLException: Inbound closed before receiving peer's
close_notify: possible truncation attack?
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.closeInbound(Unknown Source)
at org.apache.mina.filter.support.SSLHandler.destroy(SSLHandler.java:165)
at org.apache.mina.filter.SSLFilter.sessionClosed(SSLFilter.java:359)
at
org.apache.mina.common.support.AbstractIoFilterChain.callNextSessionClosed(AbstractIoFilterChain.java:321)
at
org.apache.mina.common.support.AbstractIoFilterChain.access$900(AbstractIoFilterChain.java:54)
at
org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.sessionClosed(AbstractIoFilterChain.java:781)
at
org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java:265)
at
org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(ExecutorFilter.java:305)
at
edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:665)
at
edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:690)
at java.lang.Thread.run(Unknown Source)
[13:21:26] WARN
[org.apache.directory.server.ldap.LdapProtocolProvider$LdapProtocolHandler]
- [/192.168.xxx.yyy:3340] Unexpected exception forcing session to close:
sending disconnect notice to client.
javax.net.ssl.SSLHandshakeException: Initial SSL handshake failed.
at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:425)
at
org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:362)
at
org.apache.mina.common.support.AbstractIoFilterChain.access$1200(AbstractIoFilterChain.java:54)
at
org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:800)
at
org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java:243)
at
org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(ExecutorFilter.java:305)
at
edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:665)
at
edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:690)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLException: Received fatal alert:
unexpected_message
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.recvAlert(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(Unknown Source)
at javax.net.ssl.SSLEngine.unwrap(Unknown Source)
at
org.apache.mina.filter.support.SSLHandler.unwrapHandshake(SSLHandler.java:677)
at org.apache.mina.filter.support.SSLHandler.handshake(SSLHandler.java:494)
at
org.apache.mina.filter.support.SSLHandler.messageReceived(SSLHandler.java:293)
at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:393)
... 8 more
[org.apache.mina.filter.executor.ExecutorFilter] - Exiting since queue
is empty for /192.168.xxx.yyy:3340
--
% Ryuusei Murakami / [E-MAIL ADDRESS DELETED]
% http://www.scientia.co.jp/
Seasar-user メーリングリストの案内