Directory Studio
  1. Directory Studio
  2. DIRSTUDIO-263

Add certificate validation for ldaps and StartTLS

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.5.0
    • Component/s: studio-connection
    • Labels:
      None

      Description

      We have encrypted connections using ldaps:// or the StartTLS extended operation, but the certificate isn't validated as we always use a DummySSLSocketFactory.

        Activity

        Hide
        Pierre-Arnaud Marcelot added a comment -

        Postponed.

        Show
        Pierre-Arnaud Marcelot added a comment - Postponed.
        Hide
        Pierre-Arnaud Marcelot added a comment -

        Postponed.

        Show
        Pierre-Arnaud Marcelot added a comment - Postponed.
        Hide
        Marius Scurtescu added a comment -

        Adding proper certificate exception handling when validation fails is probably a large job, this is why this feature gets postponed. Is that correct?

        As an intermediate step maybe the validation can still be done and the validation error shown, then proceed as usual regardless. But at least you are warned that validation failed.

        Please make sure that the hostname is also validated, AFAIK this is not done by default and must be done explicitly in JNDI, at least for LDAPS, not sure about StartTLS.

        See this thread for some details:
        http://forums.sun.com/thread.jspa?messageID=10629641

        Show
        Marius Scurtescu added a comment - Adding proper certificate exception handling when validation fails is probably a large job, this is why this feature gets postponed. Is that correct? As an intermediate step maybe the validation can still be done and the validation error shown, then proceed as usual regardless. But at least you are warned that validation failed. Please make sure that the hostname is also validated, AFAIK this is not done by default and must be done explicitly in JNDI, at least for LDAPS, not sure about StartTLS. See this thread for some details: http://forums.sun.com/thread.jspa?messageID=10629641
        Hide
        Stefan Seelmann added a comment -

        Yes, you are right. When using the "default" Java mechanism you have to deal with the keytool utility, which isn't that easy to use. The idea is to add a certificate management GUI to Studio.

        Many thanks for the hostname hint and the link.

        Show
        Stefan Seelmann added a comment - Yes, you are right. When using the "default" Java mechanism you have to deal with the keytool utility, which isn't that easy to use. The idea is to add a certificate management GUI to Studio. Many thanks for the hostname hint and the link.
        Hide
        Stefan Seelmann added a comment -

        Basic certificate validation is implemented: First the default JVM validation is called (which uses the <JAVA_HOME>/lib/security/cacerts keystore by default). If the verification fails the user is asked if s/he wants to trust the certificate. It works with Sun 5 and 6, JRockit 6 and IBM 5. There are problems with Harmony and IBM 6 (which is based on Harmony), seems like Harmony hasn't implemented StartTLS yet, I have to investigate.

        The next steps are:

        • Show the certificate details to the user. I'd suggest to create a certificate dialog that shows the certificate and the chain, like in Firefox. We could reuse this a dialog for a certificate and certificate list value editor. Such a dialog already exists in Eclipse, it pops up if you install a new plugin and the plugin isn't signed from a known CA. Unfortunately this dialog is only internal and not accessible from outside.
        • Allow permanent trust of a certificate. Therefor we need to create a custom keystore and put permanent trusted certificate chains into it. A preference page to manage these certificates would also be helpful, e.g. if the user added accidentially a certificate and wants to remove it.
        • Enable hostname verification. This is quite tricky, see Marius' comment.
        • For ldaps:// JNDI doesn't verify hostnames at all. The solution shown by Marius (see the link above) seems to work, however the class "HostnameChecker" is a Sun JDK specific class in package "sun.security.util.HostnameChecker".
        • For StartTLS JNDI verifies hostnames by default. However if the verification fails, the connection is closed. But we should ask the user if s/he wants to trust the certificate anyway.
        • Looks like we need a custom hostname checker. But that is quite complex because we have to deal with IPv4 and IP46 addresses, hostnames, wildcards; the hostname could be the cn or one of the subject alias, etc.
        • An additional step would be to implement SASL EXTERNAL authentication using a client certificate.
        Show
        Stefan Seelmann added a comment - Basic certificate validation is implemented: First the default JVM validation is called (which uses the <JAVA_HOME>/lib/security/cacerts keystore by default). If the verification fails the user is asked if s/he wants to trust the certificate. It works with Sun 5 and 6, JRockit 6 and IBM 5. There are problems with Harmony and IBM 6 (which is based on Harmony), seems like Harmony hasn't implemented StartTLS yet, I have to investigate. The next steps are: Show the certificate details to the user. I'd suggest to create a certificate dialog that shows the certificate and the chain, like in Firefox. We could reuse this a dialog for a certificate and certificate list value editor. Such a dialog already exists in Eclipse, it pops up if you install a new plugin and the plugin isn't signed from a known CA. Unfortunately this dialog is only internal and not accessible from outside. Allow permanent trust of a certificate. Therefor we need to create a custom keystore and put permanent trusted certificate chains into it. A preference page to manage these certificates would also be helpful, e.g. if the user added accidentially a certificate and wants to remove it. Enable hostname verification. This is quite tricky, see Marius' comment. For ldaps:// JNDI doesn't verify hostnames at all. The solution shown by Marius (see the link above) seems to work, however the class "HostnameChecker" is a Sun JDK specific class in package "sun.security.util.HostnameChecker". For StartTLS JNDI verifies hostnames by default. However if the verification fails, the connection is closed. But we should ask the user if s/he wants to trust the certificate anyway. Looks like we need a custom hostname checker. But that is quite complex because we have to deal with IPv4 and IP46 addresses, hostnames, wildcards; the hostname could be the cn or one of the subject alias, etc. An additional step would be to implement SASL EXTERNAL authentication using a client certificate.
        Hide
        Stefan Seelmann added a comment -

        The next steps are finished:

        • a certificate detail dialog
        • a custom keystore for temporary and permanent trusted certificates
        • a preference page manage these manually trusted certificates

        For hostname validation I found some useful verifiers in the HttpComponents project: http://hc.apache.org/httpcomponents-client/httpclient/apidocs/org/apache/http/conn/ssl/package-summary.html

        Show
        Stefan Seelmann added a comment - The next steps are finished: a certificate detail dialog a custom keystore for temporary and permanent trusted certificates a preference page manage these manually trusted certificates For hostname validation I found some useful verifiers in the HttpComponents project: http://hc.apache.org/httpcomponents-client/httpclient/apidocs/org/apache/http/conn/ssl/package-summary.html
        Hide
        Stefan Seelmann added a comment -

        Hostname validation is done using org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.

        Show
        Stefan Seelmann added a comment - Hostname validation is done using org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.
        Hide
        Stefan Seelmann added a comment -

        Fixed in various commits.

        Show
        Stefan Seelmann added a comment - Fixed in various commits.
        Hide
        Pierre-Arnaud Marcelot added a comment -

        Apache Directory Studio version 1.5.0 has been released.

        Show
        Pierre-Arnaud Marcelot added a comment - Apache Directory Studio version 1.5.0 has been released.

          People

          • Assignee:
            Stefan Seelmann
            Reporter:
            Stefan Seelmann
          • Votes:
            1 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development