We have configured AD Authenticator in Weblogic and we enabled TLSv1.2 only on Weblogic . When we restart Admin server it fails to connect with AD with the below error . In the logs we can see ClientHello with TLSv1.2 but the AD responds back with TLSv1.1 and that is where the connectivity fails . If we enable TLSv1.1 then the connection goes fine .
AD side All the protocols are enabled and with openssl we are able to connect to AD over TLSv1.2 (openssl s_client -connect IP:636 -tls1_2 )
openssl can use to test connectivity to server only (inbound not for outbound )
openssl s_client -connect <hostname:port> -tls1
openssl s_client -connect <hostname:port> -tls1_1
openssl s_client -connect <hostname:port> -tls1_2
Error logs
<Feb 6, 2019, 1:50:07,170 PM SGT> <Warning> <Security> <BEA-099117> <The LDAP authentication provider named "TEST Active Directory Authenticator" failed to make a connection to LDAP server at ldaps://activedirectory.com:636, the error cause is: Server chose TLSv1.1, but that protocol version is not enabled or not supported by the client..>
<Feb 6, 2019, 1:50:07,171 PM SGT> <Debug> <SecurityAtn> <BEA-000000> <Connecting to host=activedirectory, ssl port=636>
<Feb 13, 2020, 10:25:45,92 AM SGT> <Notice> <Stdout> <BEA-000000> <*** ClientHello, TLSv1.2>
if we enable ssl debug we can see below
<Feb 13, 2019, 10:25:45,92 AM SGT> <Notice> <Stdout> <BEA-000000> <*** ClientHello, TLSv1.2>
....
<Feb 13, 2019, 10:25:45,107 AM SGT> <Notice> <Stdout> <BEA-000000> <*** ServerHello, TLSv1.1>
....
<Feb 13, 2019, 10:25:45,107 AM SGT> <Notice> <Stdout> <BEA-000000> <*** ServerHello, TLSv1.1>
-Dweblogic.security.SSL.protocolVersion=TLSv1.2 --> this is for inbound call's
-Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.2 --> this is for inbound call's
Below parameters are for outbound call's
-Djdk.tls.client.protocols=TLSv1.2
If your application is using the HttpsClient or HttpsURLConnection classes, you need to use the https.protocols system property:
-Dhttps.protocols=TLSv1.2
Finally issue solved by adding below jvm arguements
-Dweblogic.security.SSL.protocolVersion=TLSv1.2 -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.2 -Djdk.tls.client.protocols=TLSv1.2 -Dhttps.protocols=TLSv1.2