Tag Archives: tls

JDK disable tlsv1.0

Some web servers need to disable some protocols after deployment. Let’s take tlsv1.0 as an example to talk about how to disable them.

Find the JRE directory in your JDK installation directory and JRE/lib/security in the JRE directory/ java.security File, and then in the file

jdk.tls.disabledAlgorithms=SSLv3 , RC4, md5withrsa, DH keysize & lt; 768, add tlsv1.0.

OpenLDAP main: TLS init def ctx failed: -1

problem error

system: Ubuntu 14.04
version: OpenLDAP 2.4.42
tool: slapd ldap-utils openssl libssl-dev

creates the certificate through openssl and adds it to the cn=config database. Restart the service failed. Syslog error
“main: TLS init def CTX failed: -1”

I created cert file by openssl in ubuntu 14.04. So I installed openssl/libssl-cert before, the error shown in this environment. When started the service, it failed with “main: TLS init def CTX failed: -1 “in syslog.

solution

It works after following steps:

  1. check your certfile path whether it is correct. Check whether the certificate file path in the cn=config configuration exists and is correct
  2. check your file permission. Inspection certificate file permissions
    chown openldap. Openldap/etc/SSL/certs/ldapcert pem
    chown openldap. Openldap/etc/SSL/private/ldapkey pem
    chmod -r 0400/etc/SSL/certs/ldapcert. Pem
    chmod -r 0400 The/etc/SSL/private/ldapkey. Pem
    Example Example:
    – rw – r – r – 1 root root 1383 Dec 1 09:47/etc/SSL/certs/cacert pem
    – r – 1 the openldap openldap 3808 Dec 1 09:48/etc/SSL/certs/ldapcert pem
    – r – 1 the openldap openldap 09:47 891 Dec 1 /etc/ssl/private/ldapkey.pem
  3. Whether install libssl-dev/ssl-cert, especially ssl-cert. Whether libssl-dev/ssl-cert
  4. Whether add user openldap to group ssl-cert. Adduser openldap ssl-cert adduser openldap ssl-cert
  5. Whether certfile is correct. Verification certificate is correct
    openssl verify - CAfile/etc/SSL/certs/cacert pem/etc/SSL/certs/ldapcert pem
  6. Check apparmor. With the 1 st step, if your cert file is not under the path/etc/SSL /... Your should add your cert file path to/etc/apparmor. D/usr. Sbin. Slapd, then reload the apparmor service like this:
    /etc/init. D/apparmor reload
    check apparmor, cooperate with the first, if not in the/etc/SSL /.. Need to configure the/etc/apparmor. D/usr. Sbin. Slapd, and restart the apparmor service
    If you have any other question, do feel free to concat to me 32634366 @qq.com

    ps:
    I have stuck with this for a long time, it done work after installed ssl-cert and added user openldap to group ssl-cert.

    ref:
    http://readthefuckingmanual.net/error/1257/