Cannot connect to LDAPS

I’m trying to connect to our Windows AD via LDAPS, but it is failing. The only relevant thing I found in the logs is:

Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on keysize limits: RSA 1024 bit key used with certificate: CN=*REDACTED*

image1896×496 66.9 KB

It’s not an issue with the credentials, they work on LDAP with no TLS. It’s also not an issue with ldap, as I can connect via LDAPS using ldapsearch. This issue seems related to java security, as the certificiate it’s complaining about is really 1024 bit.

My question is, where is the default java.security file that Graylog uses, and can the security parameters be changed so that it accepts keys 1024 bit or more?

• OS Information: Alma Linux 8.5
• Package Version: Graylog v4.2.5

Let me know if you need any more details from me.

Hello,

See your using Alma, then you maybe able to find your Java path here.

vi /etc/sysconfig/graylog-server

Here are the rest of the file location if needed.

• Default file locations - Configuring Graylog

Out of curiosity are you using certificates for the connection?
If not, I believe that Windows Active Directory requires certificates when using port 636 /w TLS?
You can find more here

• [MS-ADTS]: Using SSL/TLS | Microsoft Docs

If you have done this already then your certificates maybe need to be reconfigured like so.

openssl req -x509 -days 365 -nodes -newkey rsa:2048 -config openssl-graylog.cnf -keyout pkcs5-plain.pem -out cert.pem

• Using HTTPS - Configuring Graylog

hope that helps.

Hi,

Thanks for the quick reply there. The /etc/sysconfig/graylog-server is for additional java OPTS, such as changing the java heap size for the graylog nodes, or providing a non-default java truststore, etc.

I actually do have a java truststore which has the defaults in it, alongside the CA that signed the certificate graylog is using, and I also added the certificate of the ldap connection, but that didn’t help.

/etc/sysconfig/graylog-server

# Path to JVM trust store with graylog cert
GRAYLOG_SERVER_JAVA_OPTS="$GRAYLOG_SERVER_JAVA_OPTS -Djavax.net.ssl.trustStore=/etc/pki/java/graylog/graylog.jks"

I can’t find any mention of which java security file it loads by default. Below is the command that Graylog runs with:

graylog   800273  1.1 16.9 5457540 1344408 ?     Sl   Feb14  11:38 /usr/bin/java -Xms1536m -Xmx1536m -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:-OmitStackTraceInFastThrow -Djdk.tls.acknowledgeCloseNotify=true -Dlog4j2.formatMsgNoLookups=true -Djavax.net.ssl.trustStore=/etc/pki/java/graylog/graylog.jks -Djava.security.policy -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -jar -Dlog4j.configurationFile=file:///etc/graylog/server/log4j2.xml -Djava.library.path=/usr/share/graylog-server/lib/sigar -Dgraylog2.installation_source=rpm /usr/share/graylog-server/graylog.jar server -f /etc/graylog/server/server.conf -np

I’ve set up TLS encryption on graylog, it’s API, and the web UI:

http_enable_tls = true
http_tls_cert_file = /etc/pki/tls/certs/graylog/graylog.crt
http_tls_key_file = /etc/pki/tls/certs/graylog/graylog.key
http_tls_key_password =
rest_enable_tls = true
rest_tls_cert_file = /etc/pki/tls/certs/graylog/graylog.crt
rest_tls_key_file = /etc/pki/tls/certs/graylog/graylog.key
rest_tls_key_password =
web_enable_tls = true
web_tls_cert_file = /etc/pki/tls/certs/graylog/graylog.crt
web_tls_key_file = /etc/pki/tls/certs/graylog/graylog.key
web_tls_key_password =

I’ve also added the CA that signed said cert to the java trusted keystore. This was done before so it’s not an issue with that. Everything that Graylog uses is in a specific directory owned by the graylog user and group to ensure it can be read.

On the Windows side, there’s a certificate on the host, port 636 which “openssl s_client” reports to be a 1024bit long certificate, but my colleague says it’s 2048 so we’re unsure on what’s happening here.

Since this is an internal Graylog used for monitoring Windows DNS debug logs instead of going through the trouble of spending a bunch of time troubleshooting the cause we’d rather just modify the java security file to accept keys 1024bit or more, I just can’t find which one it actually uses.

These are the only ones “find / -name java.security” can find.

/etc/java/java-1.8.0-openjdk/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/lib/security/java.security
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.312.b07-2.el8_5.x86_64/jre/lib/security/java.security
/usr/share/elasticsearch/jdk/conf/security/java.security

The problem is, this no longer requires knowledge about Graylog, but rather about Java. The best workaround I can think of is whitelisting ldaps://some_server:636, I assume, in the java.policy file but I simply cannot find any valid simple documentation on how to do is since I know nothing about java.

If there are any tips on how I can whitelist something, or simply change the policy it is triggering I’d greatly appreciate it. Below is the full error given in /var/log/graylog-server/server.log

`2022-02-14T08:24:00.201-05:00 ERROR [ADAuthServiceBackend] ActiveDirectory error
com.unboundid.ldap.sdk.LDAPException: An error occurred while attempting to connect to server 192.168.0.13:636:  IOException(LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server /192.168.0.13:636:  SSLHandshakeException(Certificates do not conform to algorithm constraints), ldapSDKVersion=5.1.1, revision=580fabe31b0752099ccd9a835fe7da96e8251e28'))
        at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:915) ~[graylog.jar:?]
        at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:802) ~[graylog.jar:?]
        at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:740) ~[graylog.jar:?]
        at com.unboundid.ldap.sdk.LDAPConnection.<init>(LDAPConnection.java:560) ~[graylog.jar:?]
        at com.unboundid.ldap.sdk.SingleServerSet.getConnection(SingleServerSet.java:329) ~[graylog.jar:?]
        at com.unboundid.ldap.sdk.FailoverServerSet.getConnection(FailoverServerSet.java:688) ~[graylog.jar:?]
        at com.unboundid.ldap.sdk.FailoverServerSet.getConnection(FailoverServerSet.java:592) ~[graylog.jar:?]
        at org.graylog.security.authservice.ldap.UnboundLDAPConnector.connect(UnboundLDAPConnector.java:130) ~[graylog.jar:?]
        at org.graylog.security.authservice.backend.ADAuthServiceBackend.authenticateAndProvision(ADAuthServiceBackend.java:89) ~[graylog.jar:?]
        at org.graylog.security.authservice.AuthServiceAuthenticator.authenticate(AuthServiceAuthenticator.java:102) ~[graylog.jar:?]
        at org.graylog.security.authservice.AuthServiceAuthenticator.authenticate(AuthServiceAuthenticator.java:65) ~[graylog.jar:?]
        at org.graylog2.security.realm.UsernamePasswordRealm.doGetAuthenticationInfo(UsernamePasswordRealm.java:93) ~[graylog.jar:?]
        at org.graylog2.security.realm.UsernamePasswordRealm.doGetAuthenticationInfo(UsernamePasswordRealm.java:71) ~[graylog.jar:?]
        at org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:571) ~[graylog.jar:?]
        at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doMultiRealmAuthentication(ModularRealmAuthenticator.java:225) ~[graylog.jar:?]
        at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:275) ~[graylog.jar:?]
        at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198) ~[graylog.jar:?]
        at org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106) ~[graylog.jar:?]
        at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:275) ~[graylog.jar:?]
        at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:260) ~[graylog.jar:?]
        at org.graylog2.shared.security.SessionCreator.create(SessionCreator.java:82) ~[graylog.jar:?]
        at org.graylog2.rest.resources.system.SessionsResource.newSession(SessionsResource.java:142) ~[graylog.jar:?]
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_312]
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_312]
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_312]
        at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_312]
        at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:52) ~[graylog.jar:?]
        at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:124) [graylog.jar:?]
        at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:167) [graylog.jar:?]
        at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$TypeOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:219) [graylog.jar:?]
        at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:79) [graylog.jar:?]
        at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:469) [graylog.jar:?]
        at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:391) [graylog.jar:?]
        at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:80) [graylog.jar:?]
        at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:255) [graylog.jar:?]
        at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248) [graylog.jar:?]
        at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244) [graylog.jar:?]
        at org.glassfish.jersey.internal.Errors.process(Errors.java:292) [graylog.jar:?]
        at org.glassfish.jersey.internal.Errors.process(Errors.java:274) [graylog.jar:?]
        at org.glassfish.jersey.internal.Errors.process(Errors.java:244) [graylog.jar:?]
        at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:265) [graylog.jar:?]
        at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:234) [graylog.jar:?]
        at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:680) [graylog.jar:?]
        at org.glassfish.jersey.grizzly2.httpserver.GrizzlyHttpContainer.service(GrizzlyHttpContainer.java:356) [graylog.jar:?]
        at org.glassfish.grizzly.http.server.HttpHandler$1.run(HttpHandler.java:200) [graylog.jar:?]
        at com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:180) [graylog.jar:?]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_312]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_312]
        at java.lang.Thread.run(Thread.java:748) [?:1.8.0_312]
Caused by: java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server /192.168.0.13:636:  SSLHandshakeException(Certificates do not conform to algorithm constraints), ldapSDKVersion=5.1.1, revision=580fabe31b0752099ccd9a835fe7da96e8251e28')
        at com.unboundid.ldap.sdk.LDAPConnectionInternals.<init>(LDAPConnectionInternals.java:204) ~[graylog.jar:?]
        at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:904) ~[graylog.jar:?]
        ... 48 more
Caused by: com.unboundid.ldap.sdk.LDAPException: An error occurred while attempting to establish a connection to server /192.168.0.13:636:  SSLHandshakeException(Certificates do not conform to algorithm constraints), ldapSDKVersion=5.1.1, revision=580fabe31b0752099ccd9a835fe7da96e8251e28
        at com.unboundid.ldap.sdk.ConnectThread.getConnectedSocket(ConnectThread.java:287) ~[graylog.jar:?]
        at com.unboundid.ldap.sdk.LDAPConnectionInternals.<init>(LDAPConnectionInternals.java:185) ~[graylog.jar:?]
        at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:904) ~[graylog.jar:?]
        ... 48 more
Caused by: javax.net.ssl.SSLHandshakeException: Certificates do not conform to algorithm constraints
        at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:1.8.0_312]
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:324) ~[?:1.8.0_312]
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:267) ~[?:1.8.0_312]
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:262) ~[?:1.8.0_312]
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654) ~[?:1.8.0_312]
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473) ~[?:1.8.0_312]
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369) ~[?:1.8.0_312]
        at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377) ~[?:1.8.0_312]
        at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) ~[?:1.8.0_312]
        at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422) ~[?:1.8.0_312]
        at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182) ~[?:1.8.0_312]
        at sun.security.ssl.SSLTransport.decode(SSLTransport.java:152) ~[?:1.8.0_312]
        at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1392) ~[?:1.8.0_312]
        at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1300) ~[?:1.8.0_312]
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:435) ~[?:1.8.0_312]
        at com.unboundid.util.ssl.SetEnabledProtocolsAndCipherSuitesSocket.startHandshake(SetEnabledProtocolsAndCipherSuitesSocket.java:926) ~[graylog.jar:?]
        at com.unboundid.ldap.sdk.ConnectThread.run(ConnectThread.java:173) ~[graylog.jar:?]
Caused by: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints
        at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1427) ~[?:1.8.0_312]
        at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:1352) ~[?:1.8.0_312]
        at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1296) ~[?:1.8.0_312]
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638) ~[?:1.8.0_312]
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473) ~[?:1.8.0_312]
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369) ~[?:1.8.0_312]
        at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377) ~[?:1.8.0_312]
        at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) ~[?:1.8.0_312]
        at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422) ~[?:1.8.0_312]
        at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182) ~[?:1.8.0_312]
        at sun.security.ssl.SSLTransport.decode(SSLTransport.java:152) ~[?:1.8.0_312]
        at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1392) ~[?:1.8.0_312]
        at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1300) ~[?:1.8.0_312]
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:435) ~[?:1.8.0_312]
        at com.unboundid.util.ssl.SetEnabledProtocolsAndCipherSuitesSocket.startHandshake(SetEnabledProtocolsAndCipherSuitesSocket.java:926) ~[graylog.jar:?]
        at com.unboundid.ldap.sdk.ConnectThread.run(ConnectThread.java:173) ~[graylog.jar:?]
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on keysize limits: RSA 1024 bit key used with certificate: CN=*REDACTED*
        at sun.security.util.DisabledAlgorithmConstraints$KeySizeConstraint.permits(DisabledAlgorithmConstraints.java:893) ~[?:1.8.0_312]
        at sun.security.util.DisabledAlgorithmConstraints$Constraints.permits(DisabledAlgorithmConstraints.java:509) ~[?:1.8.0_312]
        at sun.security.util.DisabledAlgorithmConstraints.permits(DisabledAlgorithmConstraints.java:252) ~[?:1.8.0_312]
        at sun.security.util.DisabledAlgorithmConstraints.permits(DisabledAlgorithmConstraints.java:198) ~[?:1.8.0_312]
        at sun.security.provider.certpath.AlgorithmChecker.check(AlgorithmChecker.java:292) ~[?:1.8.0_312]
        at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1423) ~[?:1.8.0_312]
        at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:1352) ~[?:1.8.0_312]
        at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1296) ~[?:1.8.0_312]
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638) ~[?:1.8.0_312]
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473) ~[?:1.8.0_312]
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369) ~[?:1.8.0_312]
        at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377) ~[?:1.8.0_312]
        at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) ~[?:1.8.0_312]
        at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422) ~[?:1.8.0_312]
        at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182) ~[?:1.8.0_312]
        at sun.security.ssl.SSLTransport.decode(SSLTransport.java:152) ~[?:1.8.0_312]
        at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1392) ~[?:1.8.0_312]
        at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1300) ~[?:1.8.0_312]
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:435) ~[?:1.8.0_312]
        at com.unboundid.util.ssl.SetEnabledProtocolsAndCipherSuitesSocket.startHandshake(SetEnabledProtocolsAndCipherSuitesSocket.java:926) ~[graylog.jar:?]
        at com.unboundid.ldap.sdk.ConnectThread.run(ConnectThread.java:173) ~[graylog.jar:?]
2022-02-14T08:24:00.211-05:00 INFO  [SessionCreator] Session creation failed due to authentication service being unavailable. Actor: "urn:graylog:user:lduvnjak"

@lduvnjak

Think I found one of the issues.

So… as you stated your using this version of Graylog?

If this is correct, your Graylog configuration file is incorrect. Graylog no longer uses these settings

For better clarity please look here.

• server.conf

And here

• https://github.com/Graylog2/graylog2-server/blob/master/misc/graylog.conf

Hi @gsmith,

Thanks for pointing that out. I’ve removed those lines, but the issue still persists.

Here is the full error when trying to log in via LDAPS:

2022-02-16T02:26:23.130-05:00 ERROR [ADAuthServiceBackend] ActiveDirectory error
com.unboundid.ldap.sdk.LDAPException: An error occurred while attempting to connect to server 192.168.0.13:636:  IOException(LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server /192.168.0.13:636:  SSLHandshakeException(Certificates do not conform to algorithm constraints), ldapSDKVersion=5.1.1, revision=580fabe31b0752099ccd9a835fe7da96e8251e28'))
        at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:915) ~[graylog.jar:?]
        at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:802) ~[graylog.jar:?]
        at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:740) ~[graylog.jar:?]
        at com.unboundid.ldap.sdk.LDAPConnection.<init>(LDAPConnection.java:560) ~[graylog.jar:?]
        at com.unboundid.ldap.sdk.SingleServerSet.getConnection(SingleServerSet.java:329) ~[graylog.jar:?]
        at com.unboundid.ldap.sdk.FailoverServerSet.getConnection(FailoverServerSet.java:688) ~[graylog.jar:?]
        at com.unboundid.ldap.sdk.FailoverServerSet.getConnection(FailoverServerSet.java:592) ~[graylog.jar:?]
        at org.graylog.security.authservice.ldap.UnboundLDAPConnector.connect(UnboundLDAPConnector.java:130) ~[graylog.jar:?]
        at org.graylog.security.authservice.backend.ADAuthServiceBackend.authenticateAndProvision(ADAuthServiceBackend.java:89) ~[graylog.jar:?]
        at org.graylog.security.authservice.AuthServiceAuthenticator.authenticate(AuthServiceAuthenticator.java:102) ~[graylog.jar:?]
        at org.graylog.security.authservice.AuthServiceAuthenticator.authenticate(AuthServiceAuthenticator.java:65) ~[graylog.jar:?]
        at org.graylog2.security.realm.UsernamePasswordRealm.doGetAuthenticationInfo(UsernamePasswordRealm.java:93) ~[graylog.jar:?]
        at org.graylog2.security.realm.UsernamePasswordRealm.doGetAuthenticationInfo(UsernamePasswordRealm.java:71) ~[graylog.jar:?]
        at org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:571) ~[graylog.jar:?]
        at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doMultiRealmAuthentication(ModularRealmAuthenticator.java:225) ~[graylog.jar:?]
        at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:275) ~[graylog.jar:?]
        at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198) ~[graylog.jar:?]
        at org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106) ~[graylog.jar:?]
        at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:275) ~[graylog.jar:?]
        at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:260) ~[graylog.jar:?]
        at org.graylog2.shared.security.SessionCreator.create(SessionCreator.java:82) ~[graylog.jar:?]
        at org.graylog2.rest.resources.system.SessionsResource.newSession(SessionsResource.java:142) ~[graylog.jar:?]
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_312]
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_312]
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_312]
        at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_312]
        at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:52) ~[graylog.jar:?]
        at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:124) [graylog.jar:?]
        at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:167) [graylog.jar:?]
        at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$TypeOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:219) [graylog.jar:?]
        at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:79) [graylog.jar:?]
        at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:469) [graylog.jar:?]
        at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:391) [graylog.jar:?]
        at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:80) [graylog.jar:?]
        at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:255) [graylog.jar:?]
        at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248) [graylog.jar:?]
        at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244) [graylog.jar:?]
        at org.glassfish.jersey.internal.Errors.process(Errors.java:292) [graylog.jar:?]
        at org.glassfish.jersey.internal.Errors.process(Errors.java:274) [graylog.jar:?]
        at org.glassfish.jersey.internal.Errors.process(Errors.java:244) [graylog.jar:?]
        at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:265) [graylog.jar:?]
        at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:234) [graylog.jar:?]
        at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:680) [graylog.jar:?]
        at org.glassfish.jersey.grizzly2.httpserver.GrizzlyHttpContainer.service(GrizzlyHttpContainer.java:356) [graylog.jar:?]
        at org.glassfish.grizzly.http.server.HttpHandler$1.run(HttpHandler.java:200) [graylog.jar:?]
        at com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:180) [graylog.jar:?]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_312]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_312]
        at java.lang.Thread.run(Thread.java:748) [?:1.8.0_312]
Caused by: java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server /192.168.0.13:636:  SSLHandshakeException(Certificates do not conform to algorithm constraints), ldapSDKVersion=5.1.1, revision=580fabe31b0752099ccd9a835fe7da96e8251e28')
        at com.unboundid.ldap.sdk.LDAPConnectionInternals.<init>(LDAPConnectionInternals.java:204) ~[graylog.jar:?]
        at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:904) ~[graylog.jar:?]
        ... 48 more
Caused by: com.unboundid.ldap.sdk.LDAPException: An error occurred while attempting to establish a connection to server /192.168.0.13:636:  SSLHandshakeException(Certificates do not conform to algorithm constraints), ldapSDKVersion=5.1.1, revision=580fabe31b0752099ccd9a835fe7da96e8251e28
        at com.unboundid.ldap.sdk.ConnectThread.getConnectedSocket(ConnectThread.java:287) ~[graylog.jar:?]
        at com.unboundid.ldap.sdk.LDAPConnectionInternals.<init>(LDAPConnectionInternals.java:185) ~[graylog.jar:?]
        at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:904) ~[graylog.jar:?]
        ... 48 more
Caused by: javax.net.ssl.SSLHandshakeException: Certificates do not conform to algorithm constraints
        at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:1.8.0_312]
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:324) ~[?:1.8.0_312]
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:267) ~[?:1.8.0_312]
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:262) ~[?:1.8.0_312]
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654) ~[?:1.8.0_312]
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473) ~[?:1.8.0_312]
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369) ~[?:1.8.0_312]
        at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377) ~[?:1.8.0_312]
        at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) ~[?:1.8.0_312]
        at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422) ~[?:1.8.0_312]
        at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182) ~[?:1.8.0_312]
        at sun.security.ssl.SSLTransport.decode(SSLTransport.java:152) ~[?:1.8.0_312]
        at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1392) ~[?:1.8.0_312]
        at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1300) ~[?:1.8.0_312]
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:435) ~[?:1.8.0_312]
        at com.unboundid.util.ssl.SetEnabledProtocolsAndCipherSuitesSocket.startHandshake(SetEnabledProtocolsAndCipherSuitesSocket.java:926) ~[graylog.jar:?]
        at com.unboundid.ldap.sdk.ConnectThread.run(ConnectThread.java:173) ~[graylog.jar:?]
Caused by: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints
        at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1427) ~[?:1.8.0_312]
        at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:1352) ~[?:1.8.0_312]
        at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1296) ~[?:1.8.0_312]
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638) ~[?:1.8.0_312]
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473) ~[?:1.8.0_312]
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369) ~[?:1.8.0_312]
        at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377) ~[?:1.8.0_312]
        at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) ~[?:1.8.0_312]
        at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422) ~[?:1.8.0_312]
        at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182) ~[?:1.8.0_312]
        at sun.security.ssl.SSLTransport.decode(SSLTransport.java:152) ~[?:1.8.0_312]
        at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1392) ~[?:1.8.0_312]
        at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1300) ~[?:1.8.0_312]
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:435) ~[?:1.8.0_312]
        at com.unboundid.util.ssl.SetEnabledProtocolsAndCipherSuitesSocket.startHandshake(SetEnabledProtocolsAndCipherSuitesSocket.java:926) ~[graylog.jar:?]
        at com.unboundid.ldap.sdk.ConnectThread.run(ConnectThread.java:173) ~[graylog.jar:?]
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on keysize limits: RSA 1024 bit key used with certificate: CN=*REDACTED*
        at sun.security.util.DisabledAlgorithmConstraints$KeySizeConstraint.permits(DisabledAlgorithmConstraints.java:893) ~[?:1.8.0_312]
        at sun.security.util.DisabledAlgorithmConstraints$Constraints.permits(DisabledAlgorithmConstraints.java:509) ~[?:1.8.0_312]
        at sun.security.util.DisabledAlgorithmConstraints.permits(DisabledAlgorithmConstraints.java:252) ~[?:1.8.0_312]
        at sun.security.util.DisabledAlgorithmConstraints.permits(DisabledAlgorithmConstraints.java:198) ~[?:1.8.0_312]
        at sun.security.provider.certpath.AlgorithmChecker.check(AlgorithmChecker.java:292) ~[?:1.8.0_312]
        at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1423) ~[?:1.8.0_312]
        at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:1352) ~[?:1.8.0_312]
        at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1296) ~[?:1.8.0_312]
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638) ~[?:1.8.0_312]
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473) ~[?:1.8.0_312]
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369) ~[?:1.8.0_312]
        at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377) ~[?:1.8.0_312]
        at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) ~[?:1.8.0_312]
        at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422) ~[?:1.8.0_312]
        at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182) ~[?:1.8.0_312]
        at sun.security.ssl.SSLTransport.decode(SSLTransport.java:152) ~[?:1.8.0_312]
        at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1392) ~[?:1.8.0_312]
        at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1300) ~[?:1.8.0_312]
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:435) ~[?:1.8.0_312]
        at com.unboundid.util.ssl.SetEnabledProtocolsAndCipherSuitesSocket.startHandshake(SetEnabledProtocolsAndCipherSuitesSocket.java:926) ~[graylog.jar:?]
        at com.unboundid.ldap.sdk.ConnectThread.run(ConnectThread.java:173) ~[graylog.jar:?]
2022-02-16T02:26:23.156-05:00 INFO  [SessionCreator] Session creation failed due to authentication service being unavailable. Actor: "urn:graylog:user:lduvnjak"

It’s worth noting that when testing firewalld is stopped, and SELinux is set to Permissive to ensure it’s not an issue with either.

Hi @gsmith,

Thanks for pointing that out. I’ve removed those lines but the issue still perists. Here is the shortened error when attempting to log in via LDAPS:

2022-02-16T02:26:23.130-05:00 ERROR [ADAuthServiceBackend] ActiveDirectory error
com.unboundid.ldap.sdk.LDAPException: An error occurred while attempting to connect to server 192.168.0.13:636:  IOException(LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server /192.168.0.13:636:  SSLHandshakeException(Certificates do not conform to algorithm constraints), ldapSDKVersion=5.1.1, revision=580fabe31b0752099ccd9a835fe7da96e8251e28'))
 ...
Caused by: java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server /192.168.0.13:636:  SSLHandshakeException(Certificates do not conform to algorithm constraints), ldapSDKVersion=5.1.1, revision=580fabe31b0752099ccd9a835fe7da96e8251e28')
...
Caused by: com.unboundid.ldap.sdk.LDAPException: An error occurred while attempting to establish a connection to server /192.168.0.13:636:  SSLHandshakeException(Certificates do not conform to algorithm constraints), ldapSDKVersion=5.1.1, revision=580fabe31b0752099ccd9a835fe7da96e8251e28
 ...
Caused by: javax.net.ssl.SSLHandshakeException: Certificates do not conform to algorithm constraints
...
Caused by: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints
...
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on keysize limits: RSA 1024 bit key used with certificate: CN=*REDACTED*
...
2022-02-16T02:26:23.156-05:00 INFO  [SessionCreator] Session creation failed due to authentication service being unavailable. Actor: "urn:graylog:user:lduvnjak"

It’s worth pointing out that at the time of testing firewalld is stopped, and SELinux set to Permissive.

Well…
Here are you options

Renew the server or CA certificate(s) in the certificate chain to make sure it using a signature algorithm other than MD2 or make sure the key length is equal to or greater than 1024 when the RSA signature algorithm is used.

If you using JAVA /w default keystore perhaps modify the /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64/jre/lib/security/java.security if the server you are connecting to has a certificate in the certificate chain with a MD2 signature algorithm, then you could modify the line to be the following: jdk.certpath.disabled Algorithms=RSA keySize < 1024. It may not be exactly that line but something similar.

I have not done this before but its in this section of the file. This is located from the PWD I showed above.

image822×657 14.9 KB

To Be honest , I would make new certificates above 1024 and call it a day.
Hope that helps

EDIT: I think I found it the section you may need from the /java.security file.

# Note: This property is currently used by Oracle's PKIX implementation. It
# is not guaranteed to be examined and used by other implementations.
#
# Example:
#   jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
#
#
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
    RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, \
    include jdk.disabled.namedCurves

#
# Legacy algorithms for certification path (CertPath) processing and
# signed JAR files.
#
# In some environments, a certain algorithm or key length may be undesirable
# but is not yet disabled.
#

Hi @gsmith,

Unfortunately I already tried editing all the java.security files I can find and making sure that nothing mentions a <2048 key. The signing algorithm is SHA256 and the key size is 1024 bit, so theoretically java should no longer be blocking it, but that does not seem to be the case.

Changing the server key to a 2048 bit is not feasible as it’s an Active Directory and too many services are connected to it.

Hello

Oh, I see… Well not much more I can do, maybe someone here has a better idea but at least you know where the issue is.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.