Critical Description
Precondition:
1. Assume that replication server does not have valid certificate
2. Setup replication with ads-replUseTls=true and ads-replStrictCertValidation=true
Expected result:
I think in that case connection should always fail!
Observed result:
The first connect to that server will really fails with InvalidConnectionException, but next time ReplicationConsumerImpl will reconnect it will ignore startTLS and it will successfully connected over TCP!
Problem caused by ReplicationConsumerImpl implementation:
if ( connection == null ) { connection = new LdapNetworkConnection( providerHost, port ); connection.setTimeOut( -1L ); connection.setSchemaManager( schemaManager ); if ( config.isUseTls() ) { connection.getConfig().setTrustManagers( config.getTrustManager() ); connection.startTls(); } connection.addConnectionClosedEventListener( this ); } // Try to connect if ( connection.connect() )
The first time startTls() method fails, but on reconnect it's not called because connection is not null.