LDAP Authentication SSLHandshakeException

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:
I’m trying to setup LDAP authentication against eDirectory LDAP, Graylog is first 3-rd party, where I have any problem with SSL.

2. Describe your environment:

  • OS Information:

OpenSuse 15.5 Leap

  • Package Version:


  • Service logs, configurations, and environment variables:

3. What steps have you already taken to try and solve the problem?

I imported eDirectory CA into Java certification store. Tried start Graylog server with debug option, to see more detailed error message, but only information I get is when I test the connection on setup page with "IOException(LDAPException(resultCode=91 (connect error), errorMessage=‘An error occurred while attempting to establish a connection to server testserver.test.com:636: SSLHandshakeException(Received fatal alert: handshake_failure), ldapSDKVersion=6.0.10, revision=51b3c7fe15cf42d4b2cd3bbd8165ebf759a8277d’))

4. How can the community help?

I’m unable to get more info from logs I set in /etc/sysconfig/graylog-server
GRAYLOG_SERVER_ARGS=“-d” , but even that in server log there isn’t any LDAP error message
I tried to add -Djavax.net.debug=all -Djava.security.debug=all , but this doesn’t add more verbose messages for SSL handshake.

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

Found the answer where to look for debug messages. Because in my case Graylog server is running under SystemD, all Java net debug messages are in journal log.

journalctl -u graylog-server

Is there a way to limit maximum TLS version, which is trying to negotiate ? Looks like there is problem with TLSv1.3. I tried setting it in java.security jdk.tls.disabledAlgorithms=TLSv1.3, but no change at all.

OK, I ended up with creating Haproxy LDAP proxy. :slightly_frowning_face:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.