jackrabbit-oak-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Miroslav Smiljanic (Jira)" <j...@apache.org>
Subject [jira] [Closed] (OAK-9442) LDAPIdentityProvider: avoid usage of week SSL/TLS protocol
Date Thu, 03 Jun 2021 14:54:06 GMT

     [ https://issues.apache.org/jira/browse/OAK-9442?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Miroslav Smiljanic closed OAK-9442.
-----------------------------------

> LDAPIdentityProvider: avoid usage of week SSL/TLS protocol
> ----------------------------------------------------------
>
>                 Key: OAK-9442
>                 URL: https://issues.apache.org/jira/browse/OAK-9442
>             Project: Jackrabbit Oak
>          Issue Type: Bug
>          Components: auth-ldap
>            Reporter: Angela Schreiber
>            Priority: Major
>             Fix For: 1.40.0
>
>         Attachments: OAK-9442.patch
>
>
> sonar issues a warning regarding usage of week SSL/TLS protocols the following code in
{{LDAPIdentityProvider}}:
> {code}
> // make sure the JVM supports the TLSv1.1
>         try {
>             enabledSSLProtocols = null;
>             SSLContext.getInstance("TLSv1.1");
>         } catch (NoSuchAlgorithmException e) {
>             log.warn("JDK does not support TLSv1.1. Disabling it.");
>             enabledSSLProtocols = new String[]{"TLSv1"};
>         }
> {code}
> This code has been introduced with OAK-2951 (Regression: SSL errors with latest ldap
client). My preference for addressing this would be to drop the try/catch altogether and replace
with an optional configuration option that allows to explicitly defined protocols to be enabled
on the {{LDAPConnectionConfiguration}}.
> The downside of this approach: current usage of the oak-auth-ldap that relied on having
an automatic fallback to TLSv1 installed would no longer work. However, I am not sure how
big that risk is, given that TLSv1.2 is required to be supported since java 9 (https://docs.oracle.com/javase/9/docs/api/javax/net/ssl/SSLContext.html)
> [~chaotic], [~insuafer], what do you think?



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message