Uploaded image for project: 'Directory ApacheDS'
  1. Directory ApacheDS
  2. DIRSERVER-2012

Replication ignores startTLS when ads-replStrictCertValidation is true

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 2.0.0-M16
    • Fix Version/s: 2.0.0-M18
    • Component/s: ldap
    • Labels:
      None

      Description

      Precondition:
      1. Assume that replication server does not have valid certificate
      2. Setup replication with ads-replUseTls=true and ads-replStrictCertValidation=true

      Expected result:
      I think in that case connection should always fail!

      Observed result:
      The first connect to that server will really fails with InvalidConnectionException, but next time ReplicationConsumerImpl will reconnect it will ignore startTLS and it will successfully connected over TCP!

      Problem caused by ReplicationConsumerImpl implementation:

      if ( connection == null )
      {
          connection = new LdapNetworkConnection( providerHost, port );
          connection.setTimeOut( -1L );
          connection.setSchemaManager( schemaManager );
          
          if ( config.isUseTls() )
          {
              connection.getConfig().setTrustManagers( config.getTrustManager() );
              connection.startTls();
          }
      
          connection.addConnectionClosedEventListener( this );
      }
      
      // Try to connect
      if ( connection.connect() )
      

      The first time startTls() method fails, but on reconnect it's not called because connection is not null.

        Attachments

          Activity

            People

            • Assignee:
              akiran Kiran Ayyagari
              Reporter:
              alexander.kozlov.iv Alexander Kozlov
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: