LDAP Server chose TLSv1.1, but that protocol version is not enabled or not supported by the Weblogic client

We have configured AD Authenticator in Weblogic and we enabled TLSv1.2 only on Weblogic . When we restart Admin server it fails to connect with AD with the below error . In the logs we can see ClientHello with TLSv1.2 but the AD responds back with TLSv1.1 and that is where the connectivity fails . If we enable TLSv1.1 then the connection goes fine .
AD side All the protocols are enabled and with openssl we are able to connect to AD over TLSv1.2 (openssl s_client -connect IP:636 -tls1_2 )
openssl can use to test connectivity to server only (inbound not for outbound )
openssl s_client -connect <hostname:port> -tls1
openssl s_client -connect <hostname:port> -tls1_1
openssl s_client -connect <hostname:port> -tls1_2
Error logs

<Feb 6, 2019, 1:50:07,170 PM SGT> <Warning> <Security> <BEA-099117> <The LDAP authentication provider named "TEST Active Directory Authenticator" failed to make a connection to LDAP server at ldaps://activedirectory.com:636, the error cause is: Server chose TLSv1.1, but that protocol version is not enabled or not supported by the client..>
<Feb 6, 2019, 1:50:07,171 PM SGT> <Debug> <SecurityAtn> <BEA-000000> <Connecting to host=activedirectory, ssl port=636>
<Feb 13, 2020, 10:25:45,92 AM SGT> <Notice> <Stdout> <BEA-000000> <*** ClientHello, TLSv1.2>
if we enable ssl debug we can see below 
<Feb 13, 2019, 10:25:45,92 AM SGT> <Notice> <Stdout> <BEA-000000> <*** ClientHello, TLSv1.2>
....
<Feb 13, 2019, 10:25:45,107 AM SGT> <Notice> <Stdout> <BEA-000000> <*** ServerHello, TLSv1.1>
....
<Feb 13, 2019, 10:25:45,107 AM SGT> <Notice> <Stdout> <BEA-000000> <*** ServerHello, TLSv1.1>
-Dweblogic.security.SSL.protocolVersion=TLSv1.2 --> this is for inbound call's 
-Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.2 --> this is for inbound call's 
Below parameters are for outbound call's
-Djdk.tls.client.protocols=TLSv1.2
If your application is using the HttpsClient or HttpsURLConnection classes, you need to use the https.protocols system property:
-Dhttps.protocols=TLSv1.2
Finally issue solved by adding below jvm arguements
 -Dweblogic.security.SSL.protocolVersion=TLSv1.2 -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.2 -Djdk.tls.client.protocols=TLSv1.2 -Dhttps.protocols=TLSv1.2

Related Posts

Leave a Reply

Your email address will not be published.