Uploaded image for project: 'Directory ApacheDS'
  1. Directory ApacheDS
  2. DIRSERVER-2024

Add some configuration for the list of supported TLS protocol

    Details

    • Type: Task
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.0.0-M19
    • Fix Version/s: 2.0.0-M20
    • Component/s: None
    • Labels:
      None

      Description

      We should add some element in the configuration to propagate the list of supported security parameters in the SslEngine

        Issue Links

          Activity

          Show
          elecharny Emmanuel Lecharny added a comment - Fixed with http://svn.apache.org/r1641401 and http://svn.apache.org/r1641402
          Hide
          elecharny Emmanuel Lecharny added a comment -

          Agreed.

          Show
          elecharny Emmanuel Lecharny added a comment - Agreed.
          Hide
          akiran Kiran Ayyagari added a comment -

          I suggest we deprecate the use of ciphersuites config in LdapServer but continue to support this for few more versions to prevent
          breaking existing installations after an upgrade.

          Show
          akiran Kiran Ayyagari added a comment - I suggest we deprecate the use of ciphersuites config in LdapServer but continue to support this for few more versions to prevent breaking existing installations after an upgrade.
          Hide
          elecharny Emmanuel Lecharny added a comment -

          Currently, the CipherSuite is stored into the LdapServer, which is wrong. Everything that is SSL specific should be associated with a transport, and more specifically to the TcpTransport. There is no mean to support SSL for UDP, and we can use SSL for some other protocols than just LDAP.

          Show
          elecharny Emmanuel Lecharny added a comment - Currently, the CipherSuite is stored into the LdapServer, which is wrong. Everything that is SSL specific should be associated with a transport, and more specifically to the TcpTransport. There is no mean to support SSL for UDP, and we can use SSL for some other protocols than just LDAP.
          Hide
          elecharny Emmanuel Lecharny added a comment -

          There are a few parameters that can be passed to MINA :

          • the list of enabled Ciphers
          • the list of enabled protocols
          • the client auth flag, either 'need' or 'want'

          We need four MAY attributes (ads-enabledProtocol, ads-enabledCipher, ads-wantClientAuth, ads-needClientAuth)
          , and we have to augment the ads-transport objectClass :

          version: 1
          dn: m-oid=1.3.6.1.4.1.18060.0.4.1.3.18,ou=objectClasses,cn=adsconfig,ou=schema
          m-oid: 1.3.6.1.4.1.18060.0.4.1.3.18
          m-name: ads-transport
          m-description: A transport (TCP or UDP)
          objectclass: top
          objectclass: metaTop
          objectclass: metaObjectClass
          m-supobjectclass: ads-base
          m-typeobjectclass: ABSTRACT
          m-must: ads-transportId
          m-must: ads-systemPort
          m-must: ads-transportAddress
          m-may: ads-transportBacklog
          m-may: ads-transportEnableSSL
          m-may: ads-transportNbThreads
          m-may: ads-enabledProtocol
          m-may: ads-enabledCipher
          m-may: ads-wantClientAuth
          m-may: ads-needClientAuth
          creatorsname: uid=admin,ou=system
          
          Show
          elecharny Emmanuel Lecharny added a comment - There are a few parameters that can be passed to MINA : the list of enabled Ciphers the list of enabled protocols the client auth flag, either 'need' or 'want' We need four MAY attributes ( ads-enabledProtocol , ads-enabledCipher , ads-wantClientAuth , ads-needClientAuth ) , and we have to augment the ads-transport objectClass : version: 1 dn: m-oid=1.3.6.1.4.1.18060.0.4.1.3.18,ou=objectClasses,cn=adsconfig,ou=schema m-oid: 1.3.6.1.4.1.18060.0.4.1.3.18 m-name: ads-transport m-description: A transport (TCP or UDP) objectclass: top objectclass: metaTop objectclass: metaObjectClass m-supobjectclass: ads-base m-typeobjectclass: ABSTRACT m-must: ads-transportId m-must: ads-systemPort m-must: ads-transportAddress m-may: ads-transportBacklog m-may: ads-transportEnableSSL m-may: ads-transportNbThreads m-may: ads-enabledProtocol m-may: ads-enabledCipher m-may: ads-wantClientAuth m-may: ads-needClientAuth creatorsname: uid=admin,ou=system

            People

            • Assignee:
              Unassigned
              Reporter:
              elecharny Emmanuel Lecharny
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development