Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

"SSL Handshake error" occurs due to Active Directory LDAP certificate issue in Deep Security

    • Updated:
    • 1 Dec 2016
    • Product/Version:
    • Deep Security 9.0
    • Deep Security 9.5
    • Deep Security 9.6
    • Platform:
    • N/A N/A
Summary

When you try to synchronize LDAP users with Deep Security or when you change certificate, the following error appears:

Error on Re-Synchronize
Unable to connect to the computer 'computer.name.fqdn' on port 636: SSL Handshake error

At the same time, the Deep Security Manager (DSM) main log located under \Deep Security Manager\Server0.log shows the following:

Nov 20, 2016 1:00:04 PM com.thirdbrigade.manager.core.scheduler.jobschedulers.jobs.UserSynchronizeJob onRun 
SEVERE: ThID:1227|TID:0|TNAME:Primary|UID:-1|UNAME:|Administrator Synchronize Job Failed: 
javax.naming.CommunicationException: simple bind failed: server.name.fqdn [Root exception is
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException:
Certificates does not conform to algorithm constraints]

Based on the log above, the certificate in use seems valid and has a RSASSA-PSS signature algorithm.

Details
Public

As a standard, TLS has no corresponding signature algorithm for RSASSA-PSS. Hence, RSASSA-PSS cannot be used on Deep Security. Although there are instances when AD servers and Windows CA may use and generate them.

Since RSASSA-PSS is not part of TLS standard, it is deemed unsecure and unsupported in Deep Security.

To resolve the error:

  1. Generate a certificate for Deep Security using a TLS-compatible signature algorithm such as SHA256 or SHA512.
  2. Rebuild the CA with the new signature algorithm. This is necassary since the signature algorithm is a base setting of CA.
  3. Renew all the published certificates for the system.

Alternatively, you may consider a self-signed certificate for your Active Directory only.

Premium
Internal
Rating:
Category:
Troubleshoot
Solution Id:
1115964
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.