SSLHandshakeException extension 5 should not be presented in certificate request

Error when performing External Active Directory authentication " extension (5) should not be presented in certificate_request"

   KB 24434        Last updated on 2022-06-8  

(0 votes)


WebUI shows the below error when trying to configure External Active Directory authentication.

The "Test" connection is failing with the following error : extension (5) should not be presented in certificate_request
       at java.base/
       at java.base/
       at java.base/
       at java.base/
       at java.base/
       at java.base/<init>(
       at java.base/$T13CertificateRequestMessage.<init>(
       at java.base/$T13CertificateRequestConsumer.consume(


This is a bug related to OpenJDK upstream. The attribute "-Djdk.tls.client.protocols" is compatible only with TLS1.2 and older versions but not with TLS1.3

Check if TLSv1.3 is enabled:

zmlocalconfig -s mailboxd_java_options
mailboxd_java_options = -server -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 -Djdk.tls.client.protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 -Djava.awt.headless=true${networkaddress_cache_ttl} -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m

Remove TLSv1.3:

zmlocalconfig -e mailboxd_java_options='-server -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 -Djdk.tls.client.protocols=TLSv1,TLSv1.1,TLSv1.2 -Djava.awt.headless=true${networkaddress_cache_ttl} -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m'

Restart mailboxd service:

zmmailboxdctl restart
Submitted by: Harsh Massey
Verified Against: ZCS 8.8, ZCS 9.0 Date Created: 2022-06-08
Article ID: Date Modified: 2022-06-08

Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search