Uploaded image for project: 'Directory Client API'
  1. Directory Client API
  2. DIRAPI-301

Ldaps connection trusts all certificates

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.0.0
    • Fix Version/s: 2.0.0.AM3
    • Labels:
    • Environment:
      Windows 10 & Ubuntu 14.04

      Description

      Thankfully we had an integration test for this, otherwise this is a major security issue.

      This was working as expected on 1.0.0-RC2 but as soon as I bumped to 1.0.0, the test started failing. "Affects version" says there is no 1.0.0 btw, but Maven disagrees.

      I don't know about the raw APIs but this happens when `LdapConnectionTemplate` is used. Thankfully I was able to work around it by assigning Java's default TrustManager.

      LdapConnectionConfig config = new LdapConnectionConfig();
      ....
      TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
      tmf.init((KeyStore) null);
      config.setTrustManagers(tmf.getTrustManagers());
      ...
      DefaultLdapConnectionFactory connectionFactory = new DefaultLdapConnectionFactory(config);
      return new LdapConnectionTemplate(new LdapConnectionPool(new ValidatingPoolableLdapConnectionFactory(connectionFactory))));

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              natan.abolafya Natan Abolafya
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: