directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Achim Willems (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DIRSERVER-1857) Allow registration of an LdapsInitializer at the LdapServer
Date Fri, 14 Jun 2013 11:15:20 GMT

    [ https://issues.apache.org/jira/browse/DIRSERVER-1857?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13683295#comment-13683295
] 

Achim Willems commented on DIRSERVER-1857:
------------------------------------------

I think it's not only a matter of setting the TrustManger. I'm not very familiar with Apache
Mina, but isn't it also necessary to call setNeedClientAuth(true) on the sslFilter?

Another reason why it might be useful to use an interface to set up the SSL connection is,
that one would be more flexible according to the type of key- and trust stores. The current
implementation allows only file key stores, which are not always applicable. In our company
for example, we often have to use hardware security modules which need special implementations
of key and trust stores.
                
> Allow registration of an LdapsInitializer at the LdapServer
> -----------------------------------------------------------
>
>                 Key: DIRSERVER-1857
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-1857
>             Project: Directory ApacheDS
>          Issue Type: Improvement
>    Affects Versions: 2.0.0-M12
>            Reporter: Achim Willems
>
> Due to a BSI directive we need mutual authentication for SSL/TLS connections. BSI (Bundesamt
für Sicherheit in der Informationstechnik) is a german governmental organization. This means,
that we cannot ignore this directive.
> The current implementation of org.apache.directory.server.ldap.LdapServer uses the static
method org.apache.directory.server.ldap.handlers.ssl.LdapsInitializer.init to initialize the
SSL communication.
> It would be helpful to have an LdapsInitializer interface with a default implementation
(i.e. the current implementation is the default) and the possibility to register this interface
at the LdapServer.
> We then could implement our own version of the initializer to establish the necessary
behaviour.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message