Uploaded image for project: 'Directory ApacheDS'
  1. Directory ApacheDS
  2. DIRSERVER-2012

Replication ignores startTLS when ads-replStrictCertValidation is true

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 2.0.0-M16
    • Fix Version/s: 2.0.0-M18
    • Component/s: ldap
    • Labels:
      None

      Description

      Precondition:
      1. Assume that replication server does not have valid certificate
      2. Setup replication with ads-replUseTls=true and ads-replStrictCertValidation=true

      Expected result:
      I think in that case connection should always fail!

      Observed result:
      The first connect to that server will really fails with InvalidConnectionException, but next time ReplicationConsumerImpl will reconnect it will ignore startTLS and it will successfully connected over TCP!

      Problem caused by ReplicationConsumerImpl implementation:

      if ( connection == null )
      {
          connection = new LdapNetworkConnection( providerHost, port );
          connection.setTimeOut( -1L );
          connection.setSchemaManager( schemaManager );
          
          if ( config.isUseTls() )
          {
              connection.getConfig().setTrustManagers( config.getTrustManager() );
              connection.startTls();
          }
      
          connection.addConnectionClosedEventListener( this );
      }
      
      // Try to connect
      if ( connection.connect() )
      

      The first time startTls() method fails, but on reconnect it's not called because connection is not null.

        Activity

        Hide
        alexander.kozlov.iv Alexander Kozlov added a comment -

        instead of calling

        connection.startTls();
        

        you should call

        connection.getConfig().setUseTls(true);
        

        In that case TLS will be started in LdapNetworkConnection.bindAsync().

        Show
        alexander.kozlov.iv Alexander Kozlov added a comment - instead of calling connection.startTls(); you should call connection.getConfig().setUseTls( true ); In that case TLS will be started in LdapNetworkConnection.bindAsync() .
        Hide
        akiran Kiran Ayyagari added a comment -

        Excellent catch, thanks for reporting with all the details and patch as well.

        Applied here http://svn.apache.org/r1632402.

        Show
        akiran Kiran Ayyagari added a comment - Excellent catch, thanks for reporting with all the details and patch as well. Applied here http://svn.apache.org/r1632402 .

          People

          • Assignee:
            akiran Kiran Ayyagari
            Reporter:
            alexander.kozlov.iv Alexander Kozlov
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development