directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Natan Abolafya (JIRA)" <j...@apache.org>
Subject [jira] [Created] (DIRAPI-301) Ldaps connection trusts all certificates
Date Fri, 08 Sep 2017 17:23:00 GMT
Natan Abolafya created DIRAPI-301:
-------------------------------------

             Summary: Ldaps connection trusts all certificates
                 Key: DIRAPI-301
                 URL: https://issues.apache.org/jira/browse/DIRAPI-301
             Project: Directory Client API
          Issue Type: Bug
    Affects Versions: 1.0.0-RC3
         Environment: Windows 10 & Ubuntu 14.04
            Reporter: Natan Abolafya


Thankfully we had an integration test for this, otherwise this is a major security issue.

This was working as expected on 1.0.0-RC2 but as soon as I bumped to 1.0.0, the test started
failing. "Affects version" says there is no 1.0.0 btw, but Maven disagrees.

I don't know about the raw APIs but this happens when `LdapConnectionTemplate` is used. Thankfully
I was able to work around it by assigning Java's default TrustManager.

LdapConnectionConfig config = new LdapConnectionConfig();
....
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init((KeyStore) null);
config.setTrustManagers(tmf.getTrustManagers());
...
DefaultLdapConnectionFactory connectionFactory = new DefaultLdapConnectionFactory(config);
return new LdapConnectionTemplate(new LdapConnectionPool(new ValidatingPoolableLdapConnectionFactory(connectionFactory))));



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message