directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alexander Kozlov (JIRA)" <j...@apache.org>
Subject [jira] [Created] (DIRSERVER-2012) Replication ignores startTLS when ads-replStrictCertValidation is true
Date Thu, 16 Oct 2014 15:52:34 GMT
Alexander Kozlov created DIRSERVER-2012:
-------------------------------------------

             Summary: Replication ignores startTLS when ads-replStrictCertValidation is true
                 Key: DIRSERVER-2012
                 URL: https://issues.apache.org/jira/browse/DIRSERVER-2012
             Project: Directory ApacheDS
          Issue Type: Bug
          Components: ldap
    Affects Versions: 2.0.0-M16
            Reporter: Alexander Kozlov
            Priority: Critical
             Fix For: 2.0.0-M18


*Precondition:*
1. Assume that replication server does not have valid certificate
2. Setup replication with _ads-replUseTls=true_ and _ads-replStrictCertValidation=true_

*Expected result:*
I think in that case connection should always fail!

*Observed result:*
The first connect to that server will really fails with InvalidConnectionException, but next
time _ReplicationConsumerImpl_ will reconnect it will ignore _startTLS_ and it will successfully
connected over TCP!

Problem caused by _ReplicationConsumerImpl_ implementation:{code}
if ( connection == null )
{
    connection = new LdapNetworkConnection( providerHost, port );
    connection.setTimeOut( -1L );
    connection.setSchemaManager( schemaManager );
    
    if ( config.isUseTls() )
    {
        connection.getConfig().setTrustManagers( config.getTrustManager() );
        connection.startTls();
    }

    connection.addConnectionClosedEventListener( this );
}

// Try to connect
if ( connection.connect() )
{code}

The first time _startTls()_ method fails, but on reconnect it's not called because _connection_
is not _null_.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message