[OAK-9442] LDAPIdentityProvider: avoid usage of weak SSL/TLS protocol - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 1.40.0
Component/s: auth-ldap
Labels:
None

Description

sonar issues a warning regarding usage of week SSL/TLS protocols the following code in LDAPIdentityProvider:

// make sure the JVM supports the TLSv1.1
        try {
            enabledSSLProtocols = null;
            SSLContext.getInstance("TLSv1.1");
        } catch (NoSuchAlgorithmException e) {
            log.warn("JDK does not support TLSv1.1. Disabling it.");
            enabledSSLProtocols = new String[]{"TLSv1"};
        }

This code has been introduced with ~~OAK-2951~~ (Regression: SSL errors with latest ldap client). My preference for addressing this would be to drop the try/catch altogether and replace with an optional configuration option that allows to explicitly defined protocols to be enabled on the LDAPConnectionConfiguration.

The downside of this approach: current usage of the oak-auth-ldap that relied on having an automatic fallback to TLSv1 installed would no longer work. However, I am not sure how big that risk is, given that TLSv1.2 is required to be supported since java 9 (https://docs.oracle.com/javase/9/docs/api/javax/net/ssl/SSLContext.html)

chaotic, insuafer, what do you think?

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

OAK-9442.patch
20/May/21 18:00
12 kB
Angela Schreiber

Issue Links

incorporates

OAK-9446 update documentation reflecting config option added with OAK-9442

Closed

Activity

People

Assignee:: Unassigned

Reporter:: Angela Schreiber

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 20/May/21 12:52

Updated:: 22/Jun/22 13:02

Resolved:: 26/May/21 09:06