KB Article #181155

LDAPS connection is using endpoint identification

Problem

After upgrade to MailGate 5.6.1 or later LDAP connections over TLS/SSL are failing with "No subject alternative names present" errors in Application Log. The same connection settings used to work in MG 5.6.0 or earlier versions.


Error Details:


ERROR[LDAPConnection]LDAP Connection problem with <LDAP_DIRECTORY>: javax.naming.CommunicationException: <IP>:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present]

at com.sun.jndi.ldap.Connection.<init>(Connection.java:238)

at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)

.

Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present

at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)

.

Caused by: java.security.cert.CertificateException: No subject alternative names present

at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:145)

at sun.security.util.HostnameChecker.match(HostnameChecker.java:94)

at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:459)

.

ERROR[LDAPUtil]javax.naming.CommunicationException: <IP>:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present]


Resolution

Use host-name instead of IP for LDAP connections or include IP in SubjectAlternativeName in LDAP's certificate.


Reason:

Endpoint identification check is enabled by default with the update of Java version to 1.8.0_181 in MailGate 5.6.1 and thus it is same for MailGate 5.6.2 too, as it uses OpenJDK version 1.8.0_232


From Java 1.8.0_181 release notes:

[[

Improve LDAP support

Endpoint identification has been enabled on LDAPS connections.

To improve the robustness of LDAPS (secure LDAP over TLS) connections, endpoint identification algorithms have been enabled by default.

Note that there may be situations where some applications that were previously able to successfully connect to an LDAPS server may no longer be able to do so. Such applications may, if they deem appropriate, disable endpoint identification using a new system property: com.sun.jndi.ldap.object.disableEndpointIdentification.

Define this system property (or set it to true) to disable endpoint identification algorithms.

]]


Link to Java version 1.8.0_181 Release Notes (search for 'Improve LDAP support' section in the web-page):

https://www.oracle.com/java/technologies/javase/8u181-relnotes.html

Still need help?

If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.