X-pack/ldaps error: RFC822Name may not be null or empty


(Jin) #1

It looks like to me that x-pack deployed by ECE 1.1.3 requires X509 Subject Alternative Name presented in LDAPS server certificate. Otherwise, x-pack generates a Java exception "RFC822Name may not be null or empty". Java deployed by ECE is 1.8.0_144.

Can someone advise if there is a workaround to bypass this check if LDAPS server certificate cannot be easily modified?

Thank you.

Jin.


(Tim Vernum) #2

requires X509 Subject Alternative Name presented in LDAPS server certificate

That should not be the case, and the error you're seeing doesn't quite fit that conclusion.
From the error you are seeing, it looks like your certifcate does have a RFC822 name field in the SAN, but it is blank (which is different from it not being present).

That certificate is not valid - you cannot have a blank RFC822 name (email address).

You might be able to work around it by changing the value of ssl.verification_mode on your realm, but I'm not particularly confident. My suspicion is that the SSL engine will try and parse the certificate before we even decide whether it needs to be verified/trusted.


(Jin) #3

I tried to set "ssl.verification_mode: none" which suppressed the bootloop when I configure the cluster. However, the same RFC822 error comes out when user tries to login and then failed user login. If I re-point ldaps to a server with SAN in the certificate, the cluster does not complain about RFC822 error.

[2018-05-29T13:51:15,967][WARN ][org.elasticsearch.xpack.security.authc.AuthenticationService] Authentication to realm ldap1 failed - authenticate failed (Caused by LDAPException(resultCode=81 (server down), errorMessage='An error occurred while attempting to send the LDAP message to server ldap.company.com:636:  SSLProtocolException(message='java.io.IOException: RFC822Name may not be null or empty', trace='<init>(HandshakeMessage.java:452) / processMessage(ClientHandshaker.java:216) / processLoop(Handshaker.java:1026) / process_record(Handshaker.java:961) / readRecord(SSLSocketImpl.java:1072) / performInitialHandshake(SSLSocketImpl.java:1385) / readDataRecord(SSLSocketImpl.java:938) / read(AppInputStream.java:105) / fill(BufferedInputStream.java:246) / read(BufferedInputStream.java:265) / read(ASN1StreamReader.java:992) / readType(ASN1StreamReader.java:329) / beginSequence(ASN1StreamReader.java:912) / readLDAPResponseFrom(LDAPMessage.java:1146) / run(LDAPConnectionReader.java:251)', cause=CertificateParsingException(message='java.io.IOException: RFC822Name may not be null or empty', trace='<init>(X509CertInfo.java:169) / parse(X509CertImpl.java:1804) / <init>(X509CertImpl.java:195) / engineGenerateCertificate(X509Factory.java:102) / generateCertificate(CertificateFactory.java:339) / <init>(HandshakeMessage.java:449) / processMessage(ClientHandshaker.java:216) / processLoop(Handshaker.java:1026) / process_record(Handshaker.java:961) / readRecord(SSLSocketImpl.java:1072) / performInitialHandshake(SSLSocketImpl.java:1385) / readDataRecord(SSLSocketImpl.java:938) / read(AppInputStream.java:105) / fill(BufferedInputStream.java:246) / read(BufferedInputStream.java:265) / read(ASN1StreamReader.java:992) / readType(ASN1StreamReader.java:329) / beginSequence(ASN1StreamReader.java:912) / readLDAPResponseFrom(LDAPMessage.java:1146) / run(LDAPConnectionReader.java:251)', cause=IOException(message='RFC822Name may not be null or empty', trace='parseName(RFC822Name.java:83) / <init>(RFC822Name.java:55) / <init>(GeneralName.java:104) / <init>(GeneralSubtree.java:78) / <init>(GeneralSubtrees.java:81) / <init>(NameConstraintsExtension.java:196) / newInstance0(NativeConstructorAccessorImpl.java:native) / newInstance(NativeConstructorAccessorImpl.java:62) / newInstance(DelegatingConstructorAccessorImpl.java:45) / newInstance(Constructor.java:423) / parseExtension(CertificateExtensions.java:113) / init(CertificateExtensions.java:88) / <init>(CertificateExtensions.java:78) / parse(X509CertInfo.java:702) / <init>(X509CertInfo.java:167) / parse(X509CertImpl.java:1804) / <init>(X509CertImpl.java:195) / engineGenerateCertificate(X509Factory.java:102) / generateCertificate(CertificateFactory.java:339) / <init>(HandshakeMessage.java:449) / processMessage(ClientHandshaker.java:216) / processLoop(Handshaker.java:1026) / process_record(Handshaker.java:961) / readRecord(SSLSocketImpl.java:1072) / performInitialHandshake(SSLSocketImpl.java:1385) / readDataRecord(SSLSocketImpl.java:938) / read(AppInputStream.java:105) / fill(BufferedInputStream.java:246) / read(BufferedInputStream.java:265) / read(ASN1StreamReader.java:992) / readType(ASN1StreamReader.java:329) / beginSequence(ASN1StreamReader.java:912) / readLDAPResponseFrom(LDAPMessage.java:1146) / run(LDAPConnectionReader.java:251)', revision=24201), revision=24201), revision=24201)', diagnosticMessage='An error occurred while attempting to send the LDAP message to server ldap.company.com:636:  SSLProtocolException(message='java.io.IOException: RFC822Name may not be null or empty', trace='<init>(HandshakeMessage.java:452) / processMessage(ClientHandshaker.java:216) / processLoop(Handshaker.java:1026) / process_record(Handshaker.java:961) / readRecord(SSLSocketImpl.java:1072) / performInitialHandshake(SSLSocketImpl.java:1385) / readDataRecord(SSLSocketImpl.java:938) / read(AppInputStream.java:105) / fill(BufferedInputStream.java:246) / read(BufferedInputStream.java:265) / read(ASN1StreamReader.java:992) / readType(ASN1StreamReader.java:329) / beginSequence(ASN1StreamReader.java:912) / readLDAPResponseFrom(LDAPMessage.java:1146) / run(LDAPConnectionReader.java:251)', cause=CertificateParsingException(message='java.io.IOException: RFC822Name may not be null or empty', trace='<init>(X509CertInfo.java:169) / parse(X509CertImpl.java:1804) / <init>(X509CertImpl.java:195) / engineGenerateCertificate(X509Factory.java:102) / generateCertificate(CertificateFactory.java:339) / <init>(HandshakeMessage.java:449) / processMessage(ClientHandshaker.java:216) / processLoop(Handshaker.java:1026) / process_record(Handshaker.java:961) / readRecord(SSLSocketImpl.java:1072) / performInitialHandshake(SSLSocketImpl.java:1385) / readDataRecord(SSLSocketImpl.java:938) / read(AppInputStream.java:105) / fill(BufferedInputStream.java:246) / read(BufferedInputStream.java:265) / read(ASN1StreamReader.java:992) / readType(ASN1StreamReader.java:329) / beginSequence(ASN1StreamReader.java:912) / readLDAPResponseFrom(LDAPMessage.java:1146) / run(LDAPConnectionReader.java:251)', cause=IOException(message='RFC822Name may not be null or empty', trace='parseName(RFC822Name.java:83) / <init>(RFC822Name.java:55) / <init>(GeneralName.java:104) / <init>(GeneralSubtree.java:78) / <init>(GeneralSubtrees.java:81) / <init>(NameConstraintsExtension.java:196) / newInstance0(NativeConstructorAccessorImpl.java:native) / newInstance(NativeConstructorAccessorImpl.java:62) / newInstance(DelegatingConstructorAccessorImpl.java:45) / newInstance(Constructor.java:423) / parseExtension(CertificateExtensions.java:113) / init(CertificateExtensions.java:88) / <init>(CertificateExtensions.java:78) / parse(X509CertInfo.java:702) / <init>(X509CertInfo.java:167) / parse(X509CertImpl.java:1804) / <init>(X509CertImpl.java:195) / engineGenerateCertificate(X509Factory.java:102) / generateCertificate(CertificateFactory.java:339) / <init>(HandshakeMessage.java:449) / processMessage(ClientHandshaker.java:216) / processLoop(Handshaker.java:1026) / process_record(Handshaker.java:961) / readRecord(SSLSocketImpl.java:1072) / performInitialHandshake(SSLSocketImpl.java:1385) / readDataRecord(SSLSocketImpl.java:938) / read(AppInputStream.java:105) / fill(BufferedInputStream.java:246) / read(BufferedInputStream.java:265) / read(ASN1StreamReader.java:992) / readType(ASN1StreamReader.java:329) / beginSequence(ASN1StreamReader.java:912) / readLDAPResponseFrom(LDAPMessage.java:1146) / run(LDAPConnectionReader.java:251)', revision=24201), revision=24201), revision=24201)'))

(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.