Cannot get LDAPS to work

dev support
1

I’m experiencing problems with and LDAPS-Authorization; LDAP works fine.
I’ve installed the certificate with keytool; this should not be the problem.
When I do the LDAPS-Query, I always get this error message:

cannot load class through its string name, because no definition for the class with the specified name [com.sun.net.ssl.internal.ssl.Provider] could be found caused by (java.lang.ClassNotFoundException:com.sun.net.ssl.internal.ssl.Provider;java.lang.ClassNotFoundException:com.sun.net.ssl.internal.ssl.Provider;)

Any Ideas what’s going wrong? It looks like there’s SSL-Stuff missing (maybe because of AdoptOpenJDK?)

OS: Windows Server 2016
Java: AdoptOpenJDK 14.0.2 64bit
Tomcat: 9.0.37
Lucee: 5.3.6.61

2

I’m no Java expert and LDAP neither, but I have some information that might help a little until some other with more experience chimes in. It looks like the code you’re using is legacy code and the package com.sun.net.ssl.internal.ssl.Provider
has been removed.

The class migrated to another one, please see 5.2 especially 5.2.1 at
https://docs.deistercloud.com/content/Technology.50/Java/Migration%20from%20java%208%20to%20java%209.xml?embedded=true

The code you are using will probably have to be adapted to make use of the newer valid class.

3

Actually, I’m using just CFLDAP from Lucee:

<cfldap 
     server="LdapServerName" 
     port="636"
     secure="CFSSL_BASIC"
     attributes=... 
     start=...
     filter=...
     ...
/>

I’ve just tried with AdoptOpenJDK15; still the same error.
Have there to be made changes within Lucee?

4

yup, TLS isn’t supported yet

https://luceeserver.atlassian.net/browse/LDEV-2622

5

Is there a timeframe for this to be implemented? Or a workaround?

6

it’s not on the immediate radar

can you comment on that bug, including the stacktrace and your java version

7

Java is AdoptOpenJDK 14.0.2; or also 15.
StackTrace is this:

lucee.runtime.exp.NativeException: cannot load class through its string name, because no definition for the class with the specified name [com.sun.net.ssl.internal.ssl.Provider] could be found caused by (java.lang.ClassNotFoundException:com.sun.net.ssl.internal.ssl.Provider;java.lang.ClassNotFoundException:com.sun.net.ssl.internal.ssl.Provider;)
at lucee.commons.lang.ClassUtil.loadClass(ClassUtil.java:225)
at lucee.runtime.net.ldap.LDAPClient.setSecureLevel(LDAPClient.java:138)
at lucee.runtime.tag.Ldap._doStartTag(Ldap.java:365)
at lucee.runtime.tag.Ldap.doStartTag(Ldap.java:353)
at ldap_cfm$cf$4.call(/ldap.cfm:36)
at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:945)
at lucee.runtime.PageContextImpl._doInclude(PageContextImpl.java:837)
at lucee.runtime.listener.ClassicAppListener._onRequest(ClassicAppListener.java:64)
at lucee.runtime.listener.MixedAppListener.onRequest(MixedAppListener.java:43)
at lucee.runtime.PageContextImpl.execute(PageContextImpl.java:2416)
at lucee.runtime.PageContextImpl._execute(PageContextImpl.java:2406)
at lucee.runtime.PageContextImpl.executeCFML(PageContextImpl.java:2381)
at lucee.runtime.engine.Request.exe(Request.java:43)
at lucee.runtime.engine.CFMLEngineImpl._service(CFMLEngineImpl.java:1127)
at lucee.runtime.engine.CFMLEngineImpl.serviceCFML(CFMLEngineImpl.java:1073)
at lucee.loader.engine.CFMLEngineWrapper.serviceCFML(CFMLEngineWrapper.java:97)
at lucee.loader.servlet.CFMLServlet.service(CFMLServlet.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:373)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1589)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Unknown Source)
Caused by: lucee.commons.lang.ClassException: cannot load class through its string name, because no definition for the class with the specified name [com.sun.net.ssl.internal.ssl.Provider] could be found caused by (java.lang.ClassNotFoundException:com.sun.net.ssl.internal.ssl.Provider;java.lang.ClassNotFoundException:com.sun.net.ssl.internal.ssl.Provider;)
… 39 more

8

I have filed a bug for you [LDEV-3079] - Lucee

1 Like
9

According to System requirements :: Lucee Documentation , Lucee 6.1 is compatible with Java 21.

However, using Windows, Java 21 and Lucee 6.1.0.243, CFLDAP with SSL/TLS port 636
<cfldap secure=“CFSSL_BASIC” port=“636” …

results in this error
“cannot load class through its string name, because no definition for the class with the specified name [com.sun.net.ssl.internal.ssl.Provider]”

The deprecated “com.sun.net.ssl.internal.ssl.Provider” class was apparently removed in Java 13.

The alternate class that is supported is javax.net.ssl.SSLContext (according to Copilot).

LDEV-3079 is still unassigned on the backlog for over 4 years.

Can you provide an estimate when Lucee CFLDAP over SSL/TLS will be compatible with Java 21?

I appreciate all the effort that has been put into Lucee. Until Lucee is fully compatible with Java 21, I will stay with Java 11.

10

we will address this before releaseing Lucee 6.1.1

11

Thank you.

I also noticed that the useTLS=“True” option either doesn’t work, or I am not using it properly (Java 11). I substituted useTLS=“True” for secure=“CFSSL_BASIC” thinking that maybe CFLDAP would use TLS rather than the SSL2 encryption that CFSSL_BASIC supports.

I hope that the LDEV-3079 fix will support TLS 1.2 and TLS 1.3

12

It appears that Lucee 6.1.1.118 has resolved the CFLDAP issue where

<cfldap secure="CFSSL_BASIC" port="636" usetls="yes" ...

caused an error in combination with Java 21.

It was suggested that to ensure that TLS 1.2 is used that C:\Lucee\tomcat\bin\setenv.bat be edited or added to include the line
set "JAVA_OPTS=%JAVA_OPTS% -Dhttps.protocols=TLSv1.2"
or use some other method to include the Java option
-Dhttps.protocols=TLSv1.2
I haven’t verified this ensures TLS 1.2, but it doesn’t cause an error.

Thank you for the fix.

1 Like