The Ciphers set are not using while connecting to ldap server

[sherry442]

Hi,

We are configuring ciphers as below

sslUtil.setEnabledSSLCipherSuites with
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

But while connecting to LDAP Server only three ciphers are being used.

TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Please let us know, why only 3 ciphers are used on what basis.

Thank you in advance.

[dirmgr]

It's hard to say, honestly. It should be possible to use each of those cipher suites, and if the JVM supports them, then they would all be included in the set of suites that the LDAP SDK has enabled by default. For more information about the cipher suites that the LDAP SDK automatically selects, you can run the command java -jar unboundid-ldapsdk.jar tls-cipher-suite-selector, which displays information about the cipher suites that the JVM supports and has enabled by default, and which of the default-enabled suites the LDAP SDK disables by default and for what reason.

My guess is that the JVM itself is paring down the list of suites for some reason. I'd recommend using the JVM's support for debugging TLS communication to see if it has any information that might be useful. Do do that, launch the JVM with "-Djava.net.debug=all", and the debugging information will be written to the terminal (I think standard error).