directory-api mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Karim Hosny <karim.ho...@its.ws>
Subject RE: Problem using TLS or SSL to establish a secure binding
Date Wed, 25 Mar 2015 10:03:30 GMT


Unfortunately I have to use java 6 cause of an old system.
Thanks for patching the code, unfortunately I have issues running Maven with Eclipse to generate
a new build, did you generate a new jar or it's going to be released in the next sprint or
release?

Karim

-----Original Message-----
From: Emmanuel Lécharny [mailto:elecharny@gmail.com] 
Sent: Wednesday, March 25, 2015 11:54 AM
To: api@directory.apache.org
Subject: Re: Problem using TLS or SSL to establish a secure binding

Le 25/03/15 09:49, Karim Hosny a écrit :
> Same error, it ignores the setSslProtocol method completely and the 
> error message shows up for TLSv1.1
Ahhh, I know what's wrong. We define the list of supported protocols :

            // Be sure we disable SSLV3
            sslFilter.setEnabledProtocols( new String[]
                { "TLSv1", "TLSv1.1", "TLSv1.2" } );

and this list is used to initialize the SslEngine. It's likely not to be accepted when running
with Java 6...

Any reason you have to run your code with Java 6, which is EOL since february 2013 ? TLSv1
is proven to be broken, and you should *never* use it, and as it's the highest supported protocol
in Java 6, that would put your client in high risk...

Anyway, I'm going to patch the API to allow users to define the list of protocols to use.
Here is the patch if you want to apply it to the code base on your own :

Index:
ldap/client/api/src/main/java/org/apache/directory/ldap/client/api/LdapConnectionConfig.java
===================================================================
---
ldap/client/api/src/main/java/org/apache/directory/ldap/client/api/LdapConnectionConfig.java
  
(revision 1667210)
+++
ldap/client/api/src/main/java/org/apache/directory/ldap/client/api/LdapConnectionConfig.java
  
(working copy)
@@ -99,6 +99,9 @@
     /** an array of cipher suites which are enabled, if set, will be used while initializing
the SSL context */
     private String[] enabledCipherSuites;
 
+    /** an array of protocols which are enabled, if set, will be used
while initializing the SSL context */
+    private String[] enabledProtocols;
+
     /** name of the protocol used for creating SSL context, default value is "TLS" */
     private String sslProtocol = DEFAULT_SSL_PROTOCOL;
 
@@ -452,6 +455,28 @@
 
 
     /**
+     * Gets the protocols which are enabled.
+     *
+     * @return the protocol which are enabled
+     */
+    public String[] getEnabledProtocols()
+    {
+        return enabledProtocols;
+    }
+
+
+    /**
+     * Sets the protocols which are enabled
+     *
+     * @param enabledProtocols the protocols which are enabled
+     */
+    public void setEnabledProtocols( String... enabledProtocols )
+    {
+        this.enabledProtocols = enabledProtocols;
+    }
+
+
+    /**
      * @return the binaryAttributeDetector
      */
     public BinaryAttributeDetector getBinaryAttributeDetector()
Index:
ldap/client/api/src/main/java/org/apache/directory/ldap/client/api/LdapNetworkConnection.java
===================================================================
---
ldap/client/api/src/main/java/org/apache/directory/ldap/client/api/LdapNetworkConnection.java
  
(revision 1667210)
+++
ldap/client/api/src/main/java/org/apache/directory/ldap/client/api/LdapNetworkConnection.java
  
(working copy)
@@ -3827,12 +3827,29 @@
 
             SslFilter sslFilter = new SslFilter( sslContext, true );
             sslFilter.setUseClientMode( true );
-            sslFilter.setEnabledCipherSuites(
config.getEnabledCipherSuites() );
 
+            // Configure the enabled cipher lists
+            String[] enabledCipherSuite = 
+ config.getEnabledCipherSuites();
+
+            if ( ( enabledCipherSuite != null ) && (
enabledCipherSuite.length != 0 ) )
+            {
+                sslFilter.setEnabledCipherSuites( enabledCipherSuite );
+            }
+
             // Be sure we disable SSLV3
-            sslFilter.setEnabledProtocols( new String[]
-                { "TLSv1", "TLSv1.1", "TLSv1.2" } );
+            String[] enabledProtocols = config.getEnabledProtocols();
 
+            if ( ( enabledProtocols != null ) && (
enabledProtocols.length != 0 ) )
+            {
+                sslFilter.setEnabledProtocols( enabledProtocols );
+            }
+            else
+            {
+                // Default to TLS
+                sslFilter.setEnabledProtocols( new String[]
+                    { "TLSv1", "TLSv1.1", "TLSv1.2" } );
+            }
+
             // for LDAPS
             if ( ldapSession == null )
             {



Mime
View raw message