You are viewing a plain text version of this content. The canonical link for it is here.

Posted to oak-issues@jackrabbit.apache.org by "Angela Schreiber (Jira)" <ji...@apache.org> on 2021/05/20 12:53:00 UTC

[jira] [Created] (OAK-9442) LDAPIdentityProvider: avoid usage of week SSL/TLS protocol

Angela Schreiber created OAK-9442:
-------------------------------------

             Summary: LDAPIdentityProvider: avoid usage of week SSL/TLS protocol
                 Key: OAK-9442
                 URL: https://issues.apache.org/jira/browse/OAK-9442
             Project: Jackrabbit Oak
          Issue Type: Improvement
          Components: auth-ldap
            Reporter: Angela Schreiber


sonar issues a warning regarding usage of week SSL/TLS protocols the following code in {{LDAPIdentityProvider}}:

{code}
// make sure the JVM supports the TLSv1.1
        try {
            enabledSSLProtocols = null;
            SSLContext.getInstance("TLSv1.1");
        } catch (NoSuchAlgorithmException e) {
            log.warn("JDK does not support TLSv1.1. Disabling it.");
            enabledSSLProtocols = new String[]{"TLSv1"};
        }
{code}

This code has been introduced with OAK-2951 (Regression: SSL errors with latest ldap client). My preference for addressing this would be to drop the try/catch altogether and replace with an optional configuration option that allows to explicitly defined protocols to be enabled on the {{LDAPConnectionConfiguration}}.

The downside of this approach: current usage of the oak-auth-ldap that relied on having an automatic fallback to TLSv1 installed would no longer work. However, I am not sure how big that risk is, given that TLSv1.2 is required to be supported since java 9 (https://docs.oracle.com/javase/9/docs/api/javax/net/ssl/SSLContext.html)

[~chaotic], [~insuafer], what do you think?



--
This message was sent by Atlassian Jira
(v8.3.4#803005)