Uploaded image for project: 'Directory ApacheDS'
  1. Directory ApacheDS
  2. DIRSERVER-2012

Replication ignores startTLS when ads-replStrictCertValidation is true

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Critical
    • Resolution: Fixed
    • 2.0.0-M16
    • 2.0.0-M18
    • ldap
    • None

    Description

      Precondition:
      1. Assume that replication server does not have valid certificate
      2. Setup replication with ads-replUseTls=true and ads-replStrictCertValidation=true

      Expected result:
      I think in that case connection should always fail!

      Observed result:
      The first connect to that server will really fails with InvalidConnectionException, but next time ReplicationConsumerImpl will reconnect it will ignore startTLS and it will successfully connected over TCP!

      Problem caused by ReplicationConsumerImpl implementation:

      if ( connection == null )
      {
          connection = new LdapNetworkConnection( providerHost, port );
          connection.setTimeOut( -1L );
          connection.setSchemaManager( schemaManager );
          
          if ( config.isUseTls() )
          {
              connection.getConfig().setTrustManagers( config.getTrustManager() );
              connection.startTls();
          }
      
          connection.addConnectionClosedEventListener( this );
      }
      
      // Try to connect
      if ( connection.connect() )
      

      The first time startTls() method fails, but on reconnect it's not called because connection is not null.

      Attachments

        Activity

          People

            akiran Kiran Ayyagari
            alexander.kozlov.iv Alexander Kozlov
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: