Index: oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProvider.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProvider.java	(revision 1890045)
+++ oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProvider.java	(date 1621516007327)
@@ -17,7 +17,6 @@
 package org.apache.jackrabbit.oak.security.authentication.ldap.impl;
 
 import java.io.IOException;
-import java.security.NoSuchAlgorithmException;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
@@ -29,7 +28,6 @@
 
 import javax.jcr.Credentials;
 import javax.jcr.SimpleCredentials;
-import javax.net.ssl.SSLContext;
 import javax.security.auth.login.LoginException;
 
 import org.apache.commons.pool2.impl.DefaultPooledObject;
@@ -125,11 +123,6 @@
      */
     private PoolableUnboundConnectionFactory userConnectionFactory;
 
-    /**
-     * SSL protocols (initialized on init)
-     */
-    private String[] enabledSSLProtocols;
-
     /**
      * Default constructor for OSGi
      */
@@ -502,15 +495,6 @@
             throw new IllegalStateException("Provider already initialized.");
         }
 
-        // make sure the JVM supports the TLSv1.1
-        try {
-            enabledSSLProtocols = null;
-            SSLContext.getInstance("TLSv1.1");
-        } catch (NoSuchAlgorithmException e) {
-            log.warn("JDK does not support TLSv1.1. Disabling it.");
-            enabledSSLProtocols = new String[]{"TLSv1"};
-        }
-
         // setup admin connection pool
         LdapConnectionConfig cc = createConnectionConfig();
         String bindDN = config.getBindDN();
@@ -573,8 +557,9 @@
             cc.setTrustManagers(new NoVerificationTrustManager());
         }
 
-        if (enabledSSLProtocols != null) {
-            cc.setEnabledProtocols(enabledSSLProtocols);
+        String[] enabledProtocols = config.enabledProtocols();
+        if (enabledProtocols != null && enabledProtocols.length > 0) {
+            cc.setEnabledProtocols(enabledProtocols);
         }
 
         return cc;
Index: oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfig.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfig.java	(revision 1890045)
+++ oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfig.java	(date 1621525471558)
@@ -128,6 +128,17 @@
             boolValue = PARAM_NO_CERT_CHECK_DEFAULT
     )
     public static final String PARAM_NO_CERT_CHECK = "host.noCertCheck";
+    
+    /**
+     * @see #enabledProtocols() 
+     */
+    @Property(
+            label = "Enabled Protocols",
+            description = "Allows to explicitly set the enabled protocols on the LdapConnectionConfig.",
+            value = {},
+            cardinality = Integer.MAX_VALUE
+    )
+    public static final String PARAM_ENABLED_PROTOCOLS = "host.enabledProtocols";
 
     /**
      * @see #getBindDN()
@@ -927,6 +938,10 @@
             cfg.getUserPoolConfig().setTimeBetweenEvictionRunsMillis(msTberUser.value);
         }
 
+        String[] enabledProtocols = params.getConfigValue(PARAM_ENABLED_PROTOCOLS, new String[0]);
+        if (enabledProtocols.length > 0) {
+            cfg.setEnabledProtocols(enabledProtocols);
+        }
         return cfg;
     }
 
@@ -941,6 +956,8 @@
     private boolean useTLS = PARAM_USE_TLS_DEFAULT;
 
     private boolean noCertCheck = PARAM_NO_CERT_CHECK_DEFAULT;
+    
+    private String[] enabledProtocols = null;
 
     private String bindDN = PARAM_BIND_DN_DEFAULT;
 
@@ -1110,6 +1127,30 @@
         return this;
     }
 
+    /**
+     * Configures whether enabled protocols should be set on the {@code LdapConnectionConfig}.
+     *
+     * @return an array of enabled protocols or null if no protocols should be explicitly enabled
+     */
+    @Nullable
+    public String[] enabledProtocols() {
+        return enabledProtocols;
+    }
+
+    /**
+     * Configures the enabled protocols to be set to the {@code LdapConnectionConfig}. By default no protocols are 
+     * set explicitly.
+     * 
+     * @param enabledProtocols The protocols to be enabled on the {@code LdapConnectionConfig}.
+     * @return {@code this}
+     * @see #enabledProtocols()
+     */
+    @NotNull
+    public LdapProviderConfig setEnabledProtocols(@NotNull String... enabledProtocols) {
+        this.enabledProtocols = enabledProtocols;
+        return this;
+    }
+
     /**
      * Configures the DN that is used to bind to the LDAP server. If this value is {@code null} or an empty string,
      * anonymous connections are used.
@@ -1387,6 +1428,7 @@
         sb.append(", useSSL=").append(useSSL);
         sb.append(", useTLS=").append(useTLS);
         sb.append(", noCertCheck=").append(noCertCheck);
+        sb.append(", enabledProtocols=").append(enabledProtocols);
         sb.append(", bindDN='").append(bindDN).append('\'');
         sb.append(", bindPassword='***'");
         sb.append(", searchTimeout=").append(searchTimeout);
Index: oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProviderUseSSLTest.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProviderUseSSLTest.java	(revision 1890045)
+++ oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProviderUseSSLTest.java	(date 1621531348476)
@@ -20,6 +20,7 @@
 import com.google.common.collect.Lists;
 import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalUser;
 import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Nullable;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.junit.runners.Parameterized;
@@ -36,20 +37,27 @@
 @RunWith(Parameterized.class)
 public class LdapIdentityProviderUseSSLTest extends AbstractLdapIdentityProviderTest {
     
+    private static final String PROTOCOL = "TLSv1.2";
+    
     @Parameterized.Parameters(name = "LdapConfiguration with {2}")
     public static Collection<Object[]> parameters() {
         return Lists.newArrayList(
-                new Object[] {false, false, "useSSL=false, useTLS=false"},
-                new Object[] {true, false, "useSSL=true, useTLS=false"},
-                new Object[] {false, true, "useSSL=false, useTLS=true"},
-                new Object[] {true, true, "useSSL=true, useTLS=true"}
+                new Object[] {false, false, null, "useSSL=false, useTLS=false, enabled_protocols=NA"},
+                new Object[] {true, false, null, "useSSL=true, useTLS=false, enabled_protocols=NA"},
+                new Object[] {true, false, new String[] {PROTOCOL}, "useSSL=true, useTLS=false, enabled_protocols=["+PROTOCOL+"]"},
+                new Object[] {false, true, null, "useSSL=false, useTLS=true, enabled_protocols=NA"},
+                new Object[] {false, true, new String[] {PROTOCOL}, "useSSL=false, useTLS=true, enabled_protocols=["+PROTOCOL+"]"},
+                new Object[] {true, true, new String[0], "useSSL=true, useTLS=true, enabled_protocols=[]"}
         );
     }
+    
+    private final String[] enabledProtocols;
 
-    public LdapIdentityProviderUseSSLTest(boolean useSSL, boolean useTLS, String name) {
+    public LdapIdentityProviderUseSSLTest(boolean useSSL, boolean useTLS, @Nullable String[] enabledProtocols, @NotNull String name) {
         super();
         this.useSSL = useSSL;
         this.useTLS = useTLS;
+        this.enabledProtocols = enabledProtocols;
     }
 
     @Override
@@ -59,6 +67,9 @@
         config.setUseSSL(useSSL);
         config.setUseTLS(useTLS);
         config.setNoCertCheck(true);
+        if (enabledProtocols != null) {
+            config.setEnabledProtocols(enabledProtocols);
+        }
         return config;
     }
 
Index: oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfigTest.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfigTest.java	(revision 1890045)
+++ oak-auth-ldap/src/test/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapProviderConfigTest.java	(date 1621523767659)
@@ -24,12 +24,14 @@
 
 import static org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapProviderConfig.PARAM_ADMIN_POOL_MIN_EVICTABLE_IDLE_TIME;
 import static org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapProviderConfig.PARAM_ADMIN_POOL_TIME_BETWEEN_EVICTION_RUNS;
+import static org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapProviderConfig.PARAM_ENABLED_PROTOCOLS;
 import static org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapProviderConfig.PARAM_SEARCH_TIMEOUT_DEFAULT;
 import static org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapProviderConfig.PARAM_USER_POOL_MIN_EVICTABLE_IDLE_TIME;
 import static org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapProviderConfig.PARAM_USER_POOL_TIME_BETWEEN_EVICTION_RUNS;
 import static org.junit.Assert.assertArrayEquals;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertTrue;
 
 public class LdapProviderConfigTest {
@@ -314,4 +316,19 @@
         LdapProviderConfig config = LdapProviderConfig.of(ConfigurationParameters.of(LdapProviderConfig.PARAM_SEARCH_TIMEOUT, "invalid"));
         assertEquals(ConfigurationParameters.Milliseconds.of(PARAM_SEARCH_TIMEOUT_DEFAULT).value, config.getSearchTimeout());
     }
+    
+    @Test
+    public void testEnabledProtocols() {
+        LdapProviderConfig config = LdapProviderConfig.of(ConfigurationParameters.of());
+        assertNull(config.enabledProtocols());
+        
+        config.setEnabledProtocols("TLSv1.3", "TLSv1.2");
+        assertArrayEquals(new String[] {"TLSv1.3", "TLSv1.2"}, config.enabledProtocols());
+
+        config = LdapProviderConfig.of(ConfigurationParameters.of(PARAM_ENABLED_PROTOCOLS, "TLSv1.3"));
+        assertArrayEquals(new String[] {"TLSv1.3"}, config.enabledProtocols());
+        
+        config = LdapProviderConfig.of(ConfigurationParameters.of(PARAM_ENABLED_PROTOCOLS, new String[] {"TLSv1.3", "TLSv1.2"}));
+        assertArrayEquals(new String[] {"TLSv1.3", "TLSv1.2"}, config.enabledProtocols());
+    }
 }
\ No newline at end of file
Index: oak-auth-ldap/pom.xml
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- oak-auth-ldap/pom.xml	(revision 1890045)
+++ oak-auth-ldap/pom.xml	(date 1621522499199)
@@ -35,8 +35,8 @@
         <apacheds.test.version>2.0.0-M24</apacheds.test.version>
         <!-- enable execution of jacoco and set minimal line coverage -->
         <skip.coverage>false</skip.coverage>
-        <minimum.line.coverage>0.92</minimum.line.coverage>
-        <minimum.branch.coverage>0.86</minimum.branch.coverage>
+        <minimum.line.coverage>0.93</minimum.line.coverage>
+        <minimum.branch.coverage>0.88</minimum.branch.coverage>
     </properties>
 
     <build>