SSLHandshakeException extension 5 should not be presented in certificate request

Error when performing External Active Directory authentication "javax.net.ssl.SSLHandshakeException: extension (5) should not be presented in certificate_request"


   KB 24434        Last updated on 2022-06-8  




0.00
(0 votes)

Problem

WebUI shows the below error when trying to configure External Active Directory authentication.

The "Test" connection is failing with the following error :

javax.net.ssl.SSLHandshakeException: extension (5) should not be presented in certificate_request
       at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
       at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
       at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:311)
       at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:267)
       at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:258)
       at java.base/sun.security.ssl.SSLExtensions.<init>(SSLExtensions.java:90)
       at java.base/sun.security.ssl.CertificateRequest$T13CertificateRequestMessage.<init>(CertificateRequest.java:818)
       at java.base/sun.security.ssl.CertificateRequest$T13CertificateRequestConsumer.consume(CertificateRequest.java:922)
...

Solution

This is a bug related to OpenJDK upstream. The attribute "-Djdk.tls.client.protocols" is compatible only with TLS1.2 and older versions but not with TLS1.3

Check if TLSv1.3 is enabled:

zmlocalconfig -s mailboxd_java_options
mailboxd_java_options = -server -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 -Djdk.tls.client.protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl=${networkaddress_cache_ttl} -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.net.preferIPv4Stack=true

Remove TLSv1.3:

zmlocalconfig -e mailboxd_java_options='-server -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 -Djdk.tls.client.protocols=TLSv1,TLSv1.1,TLSv1.2 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl=${networkaddress_cache_ttl} -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.net.preferIPv4Stack=true'

Restart mailboxd service:

zmmailboxdctl restart
Submitted by: Harsh Massey
Verified Against: ZCS 8.8, ZCS 9.0 Date Created: 2022-06-08
Article ID: https://wiki.zimbra.com/index.php?title=SSLHandshakeException_extension_5_should_not_be_presented_in_certificate_request Date Modified: 2022-06-08



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Jump to: navigation, search