Uploaded image for project: 'Directory Client API'
  1. Directory Client API
  2. DIRAPI-301

Ldaps connection trusts all certificates

Attach filesAttach ScreenshotWatch issueCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 1.0.0
    • 2.0.0.AM3
    • Windows 10 & Ubuntu 14.04

    Description

      Thankfully we had an integration test for this, otherwise this is a major security issue.

      This was working as expected on 1.0.0-RC2 but as soon as I bumped to 1.0.0, the test started failing. "Affects version" says there is no 1.0.0 btw, but Maven disagrees.

      I don't know about the raw APIs but this happens when `LdapConnectionTemplate` is used. Thankfully I was able to work around it by assigning Java's default TrustManager.

      LdapConnectionConfig config = new LdapConnectionConfig();
      ....
      TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
      tmf.init((KeyStore) null);
      config.setTrustManagers(tmf.getTrustManagers());
      ...
      DefaultLdapConnectionFactory connectionFactory = new DefaultLdapConnectionFactory(config);
      return new LdapConnectionTemplate(new LdapConnectionPool(new ValidatingPoolableLdapConnectionFactory(connectionFactory))));

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            Unassigned Unassigned
            natan.abolafya Natan Abolafya
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment