Details

    • Type: Improvement Improvement
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 1.0.0-M11, 1.0.0-M12
    • Fix Version/s: None
    • Labels:
      None

      Description

      I want to connect to an OpenLDAP directory with LDAPS.
      With JNDI, I just need to modify the common keystore, or to add a specific one with javax.net.ssl.trustStore.
      With DIRAPI, I need to provide a TrustManager (which I eventually can initialize with SUN one).

      I suggest to initialize the default TrustManager to SUN one. This can be done in LdapConnectionConfig by replacing:
      TrustManagerFactory tmFactory = TrustManagerFactory.getInstance( trustMgmtAlgo );
      tmFactory.init( KeyStore.getInstance( KeyStore.getDefaultType() ) );
      with:
      TrustManagerFactory tmFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
      tmFactory.init((KeyStore)null);

        Activity

        Show
        Kiran Ayyagari added a comment - Fixed here http://svn.apache.org/viewvc?rev=1394415&view=rev
        Hide
        Emmanuel Lecharny added a comment -

        Hmmm, I think that Raphaël is right here.

        The way we initiliaze he TM is not necessarily good :
        public LdapConnectionConfig()

        { setDefaultTrustManager(); }

        /**

        • sets the default trust manager based on the SunX509 trustManagement algorithm
          */
          private void setDefaultTrustManager()
          {
          String trustMgmtAlgo = "SunX509";

        try
        {
        TrustManagerFactory tmFactory = TrustManagerFactory.getInstance( trustMgmtAlgo );
        tmFactory.init( KeyStore.getInstance( KeyStore.getDefaultType() ) );
        ...

        I'd rather use what Rapheël is proposing, and remove the hard coded "SunX509" value.

        Show
        Emmanuel Lecharny added a comment - Hmmm, I think that Raphaël is right here. The way we initiliaze he TM is not necessarily good : public LdapConnectionConfig() { setDefaultTrustManager(); } /** sets the default trust manager based on the SunX509 trustManagement algorithm */ private void setDefaultTrustManager() { String trustMgmtAlgo = "SunX509"; try { TrustManagerFactory tmFactory = TrustManagerFactory.getInstance( trustMgmtAlgo ); tmFactory.init( KeyStore.getInstance( KeyStore.getDefaultType() ) ); ... I'd rather use what Rapheël is proposing, and remove the hard coded "SunX509" value.
        Hide
        Kiran Ayyagari added a comment -

        Ok, now I see that we don't use NoVerificationTrustManager by default in code, but to the one initialized based on "SunX509" algorithm and an empty KeyStore.
        I will commit a fix. Thank you.

        Show
        Kiran Ayyagari added a comment - Ok, now I see that we don't use NoVerificationTrustManager by default in code, but to the one initialized based on "SunX509" algorithm and an empty KeyStore. I will commit a fix. Thank you.
        Hide
        Raphaël Ouazana added a comment -

        I precise that without this patch: if I don't provide a TrustManager, I am not able to configure the keystore.

        Show
        Raphaël Ouazana added a comment - I precise that without this patch: if I don't provide a TrustManager, I am not able to configure the keystore.
        Hide
        Raphaël Ouazana added a comment -

        I don't think the provided reason is good. It is possible to use self signed certificate with SUN default TrustManager as soon as you configure it. The goal of this ticket is precisely to allow to configure it.

        Show
        Raphaël Ouazana added a comment - I don't think the provided reason is good. It is possible to use self signed certificate with SUN default TrustManager as soon as you configure it. The goal of this ticket is precisely to allow to configure it.
        Hide
        Raphaël Ouazana added a comment -

        I use a self signed certificate for my tests and it works fine, as soon as I specify it in javax.net.ssl.trustStore.

        Show
        Raphaël Ouazana added a comment - I use a self signed certificate for my tests and it works fine, as soon as I specify it in javax.net.ssl.trustStore.
        Hide
        Kiran Ayyagari added a comment -

        The default Java trust manager will not accept self signed certificates, which are mostly used
        in many environments. By default we use a NoVerificationTrustManager that accepts all certificates.

        Show
        Kiran Ayyagari added a comment - The default Java trust manager will not accept self signed certificates, which are mostly used in many environments. By default we use a NoVerificationTrustManager that accepts all certificates.

          People

          • Assignee:
            Kiran Ayyagari
            Reporter:
            Raphaël Ouazana
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development