OpenDJ: Troubleshooting LDAP SSL connections

Troubleshooting Secure Socket Layer (SSL, also now standardized as TLS) issues is not trivial and there is no secret sauce specific to OpenDJ.

Should an LDAP SSL connection fails due to the server, you should find a descriptive error message in the server’s errors log (in logs/errors). But sometime the connection is aborted by the client with some obscure message. Often we see a message ending with ” no cipher suites in common“.

Java has some debugging capabilities embedded and they are pretty easy to use with the OpenDJ LDAP directory server, which just need to be restarted with some additional arguments: or

There are two ways to add extra arguments to the OpenDJ server startup command, using an environment variable, or using the file.

Using env variable

– you define the OPENDS_JAVA_ARGS environment variable. And you restart the server. If you do so, make sure you include all previous arguments.

OPENDS_JAVA_ARGS='-server -Xms1G -Xmx1G,handshake,trustmanager' bin/start-ds

Using the file

Edit the file in the config directory.
Since you probably only want to track the OpenDS directory server SSL access, you should append the,handshake,trustmanager args to the start-ds line (rather than applying it to all commands). -Xmx1G -server,handshake,trustmanager

Save the file and run the dsjavaproperties command:


Now restart the server, using the start-ds command

Where is the output ?

All SSL related logs are output in the logs/server.out file.
To test, you can use ldapsearch :

bin/ldapsearch -Z -X -p 1636 -b "" -s base '(objectclass=*)'

And if you look into the logs/server.out file, you will see something similar to this:

Using SSLEngineImpl.
 Allow unsafe renegotiation: false
 Allow legacy hello messages: true
 Is initial handshake: true
 Is secure renegotiation: false
 LDAP Request Handler 0 for connection handler LDAP Connection Handler port 1636, READ: SSL v2, contentType = Handshake, translated length = 81
 *** ClientHello, TLSv1
 RandomCookie: GMT: 1287771875 bytes = { 68, 231, 5, 253, 105, 26, 137, 36, 38, 238, 12, 141, 110, 12, 59, 10, 192, 135, 113, 119, 108, 153, 10, 31, 127, 120, 110, 61 }
 Session ID: {}

This will help you to identify what part of the secure connection is failing and fix it.

Note that enables debug of the SSL connections, while enables full debugging including use of certificates, and more. You can also find more debug options by using


, , , , , , , ,

  1. #1 by Matt on 19 July 2011 - 11:50

    Hi Ludovic,

    While not ideal to set everywhere, it can be helpful (necessary) to set

    as well. This was first noticed using LDAP for unix authentication, but probably would effect older clients and libraries as well.


  2. #2 by Brad Tumy on 16 February 2012 - 16:43

    I also find it handy when debugging ssl issues to use openssl tools, for example:

    openssl s_client -showcerts -connect

    This will provide a lot of information on the certificate exchange that can be useful in debugging.

  3. #3 by Aleksei on 01 October 2014 - 13:41

    how can i limit the size of this file (server.out) ?
    without restart

    • #4 by Ludo on 01 October 2014 - 15:01

      Hi Aleksei,

      This is debugging information, I don’t know of a way to limit or roll out the output file.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

Join 1,314 other followers

%d bloggers like this: