LDAP interface troubleshooting
Before you contact Support, use this troubleshooting information to identify the cause of the error you experienced.
If an LDAP request takes more than two minutes to evaluate, the LDAP Interface stops evaluating and returns error code 3 (time limit exceeded).
If you receive an error similar to the following, all it tells you is that there was a handshake failure.
If you use the -Djavax.net.debug=ssl option and rerun your code, you'll see:
Connection reader for connection 0 to <org>.ldap.okta.com:636, READ: TLSv1.2 Alert, length = 2 Connection reader for connection 0 to <org>.ldap.okta.com:636, RECV TLSv1.2 ALERT: fatal, handshake_failure Connection reader for connection 0 to <org>.example.okta.com:636, called closeSocket() Connection reader for connection 0 to <org>.example.okta.com:636, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
The above message shows that the client sent a TLSv1.1 packet and the server responded with TLSv1.2 and it rejected the request.
For C-based clients, you can use SSLTap or openSSL. For example, the following failure shows SSL handshake failure due to SSLv3.
The following is an example that shows that SSL handshake is rejected due to unsupported cipher.