directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stefan Seelmann (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DIRAPI-301) Ldaps connection trusts all certificates
Date Sat, 09 Sep 2017 16:15:03 GMT

    [ https://issues.apache.org/jira/browse/DIRAPI-301?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16159994#comment-16159994
] 

Stefan Seelmann commented on DIRAPI-301:
----------------------------------------

Thanks for reporting this issue. In {{LdapConnectionConfig.setDefaultTrustManager()}} the
{{NoVerificationTrustManager}} is set by default which is really bad.

> Ldaps connection trusts all certificates
> ----------------------------------------
>
>                 Key: DIRAPI-301
>                 URL: https://issues.apache.org/jira/browse/DIRAPI-301
>             Project: Directory Client API
>          Issue Type: Bug
>    Affects Versions: 1.0.0
>         Environment: Windows 10 & Ubuntu 14.04
>            Reporter: Natan Abolafya
>              Labels: security
>
> Thankfully we had an integration test for this, otherwise this is a major security issue.
> This was working as expected on 1.0.0-RC2 but as soon as I bumped to 1.0.0, the test
started failing. "Affects version" says there is no 1.0.0 btw, but Maven disagrees.
> I don't know about the raw APIs but this happens when `LdapConnectionTemplate` is used.
Thankfully I was able to work around it by assigning Java's default TrustManager.
> LdapConnectionConfig config = new LdapConnectionConfig();
> ....
> TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
> tmf.init((KeyStore) null);
> config.setTrustManagers(tmf.getTrustManagers());
> ...
> DefaultLdapConnectionFactory connectionFactory = new DefaultLdapConnectionFactory(config);
> return new LdapConnectionTemplate(new LdapConnectionPool(new ValidatingPoolableLdapConnectionFactory(connectionFactory))));



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message