Return-Path: Delivered-To: apmail-directory-dev-archive@www.apache.org Received: (qmail 19829 invoked from network); 18 Oct 2010 21:11:03 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 18 Oct 2010 21:11:03 -0000 Received: (qmail 6891 invoked by uid 500); 18 Oct 2010 21:11:02 -0000 Delivered-To: apmail-directory-dev-archive@directory.apache.org Received: (qmail 6826 invoked by uid 500); 18 Oct 2010 21:11:02 -0000 Mailing-List: contact dev-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Apache Directory Developers List" Delivered-To: mailing list dev@directory.apache.org Received: (qmail 6819 invoked by uid 99); 18 Oct 2010 21:11:02 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 18 Oct 2010 21:11:02 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.22] (HELO thor.apache.org) (140.211.11.22) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 18 Oct 2010 21:11:00 +0000 Received: from thor (localhost [127.0.0.1]) by thor.apache.org (8.13.8+Sun/8.13.8) with ESMTP id o9ILAcmS013996 for ; Mon, 18 Oct 2010 21:10:38 GMT Message-ID: <24596865.29891287436238541.JavaMail.jira@thor> Date: Mon, 18 Oct 2010 17:10:38 -0400 (EDT) From: "Kiran Ayyagari (JIRA)" To: dev@directory.apache.org Subject: [jira] Closed: (DIRSERVER-1164) SSL Cert Compatibility issue with LDAPS for Outlook Clients In-Reply-To: <1074830138.1209052522215.JavaMail.jira@brutus> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/DIRSERVER-1164?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kiran Ayyagari closed DIRSERVER-1164. ------------------------------------- Resolution: Fixed Closing this issue, reopen if needed. > SSL Cert Compatibility issue with LDAPS for Outlook Clients > ----------------------------------------------------------- > > Key: DIRSERVER-1164 > URL: https://issues.apache.org/jira/browse/DIRSERVER-1164 > Project: Directory ApacheDS > Issue Type: Improvement > Components: ldap > Affects Versions: 1.5.2 > Reporter: Steve > Assignee: Kiran Ayyagari > Fix For: 2.0.0-RC1 > > > Any Outlook Version will simply refuse the service to LDAPS on a default apacheds installation. > The SSL certificate has to match the hostname exactly - if it is empty or you do not connect using > the DNS name - outlook will simply refuse the connection even if the cert itself is trusted. > The Standard Apache 1.5.2 distribution should work out of the box with Outlook Clients for using LDAPS - > the only catch is the SSL certificate which is automatically generated by apacheDS - it is neither > trusted by outlook - nor does it contain a valid common name (the DNS name of the server) it seems. > The first issue can of course not be resolved by the auto key generation when you startup the server - but maybe the DNS address of the certificate. > Even then - there needs to be a way to easily extract the generated public key so that you can manually trust it on windows clients. > This issue only applies to Outlook Clients - Thunderbird/LDAPBrowser and Co will ask the user if they want to connect to untrusted sites. > Alternatively - there should be an option for admins to simply change the SSL key to a valid/trusted one - in 1.52 the only way i found so far > for modifying the SSL key is programatically this way : > EntryOperationContext adminEntry = new EntryOperationContext( > directoryService.getRegistries(), PartitionNexus.getAdminName()); > if (directoryService.getPartitionNexus().hasEntry(adminEntry)) { > > KeyStore store = // load some store from p12 for example > KeyPair keyPair = // load some keypair from store > Attributes entry = new BasicAttributes(); > PrivateKey privateKey = keyPair.getPrivate(); > entry.put(TlsKeyGenerator.KEY_ALGORITHM_AT, privateKey > .getAlgorithm()); > entry.put(TlsKeyGenerator.PRIVATE_KEY_AT, privateKey.getEncoded()); > entry.put(TlsKeyGenerator.PRIVATE_KEY_FORMAT_AT, privateKey > .getFormat()); > PublicKey publicKey = keyPair.getPublic(); > entry.put(TlsKeyGenerator.PUBLIC_KEY_AT, publicKey.getEncoded()); > entry.put(TlsKeyGenerator.PUBLIC_KEY_FORMAT_AT, publicKey > .getFormat()); > Certificate cert = store.getCertificate(alias); > entry.put(TlsKeyGenerator.USER_CERTIFICATE_AT, cert.getEncoded()); > List items = ModifyOperationContext.createModItems( > ServerEntryUtils.toServerEntry(entry, PartitionNexus > .getAdminName(), directoryService.getRegistries()), > ModificationOperation.REPLACE_ATTRIBUTE); > directoryService.getPartitionNexus().modify( > new ModifyOperationContext( > directoryService.getRegistries(), PartitionNexus > .getAdminName(), items)); -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.