You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-issues@jackrabbit.apache.org by "Angela Schreiber (Jira)" <ji...@apache.org> on 2021/05/20 12:53:00 UTC
[jira] [Created] (OAK-9442) LDAPIdentityProvider: avoid usage of
week SSL/TLS protocol
Angela Schreiber created OAK-9442:
-------------------------------------
Summary: LDAPIdentityProvider: avoid usage of week SSL/TLS protocol
Key: OAK-9442
URL: https://issues.apache.org/jira/browse/OAK-9442
Project: Jackrabbit Oak
Issue Type: Improvement
Components: auth-ldap
Reporter: Angela Schreiber
sonar issues a warning regarding usage of week SSL/TLS protocols the following code in {{LDAPIdentityProvider}}:
{code}
// make sure the JVM supports the TLSv1.1
try {
enabledSSLProtocols = null;
SSLContext.getInstance("TLSv1.1");
} catch (NoSuchAlgorithmException e) {
log.warn("JDK does not support TLSv1.1. Disabling it.");
enabledSSLProtocols = new String[]{"TLSv1"};
}
{code}
This code has been introduced with OAK-2951 (Regression: SSL errors with latest ldap client). My preference for addressing this would be to drop the try/catch altogether and replace with an optional configuration option that allows to explicitly defined protocols to be enabled on the {{LDAPConnectionConfiguration}}.
The downside of this approach: current usage of the oak-auth-ldap that relied on having an automatic fallback to TLSv1 installed would no longer work. However, I am not sure how big that risk is, given that TLSv1.2 is required to be supported since java 9 (https://docs.oracle.com/javase/9/docs/api/javax/net/ssl/SSLContext.html)
[~chaotic], [~insuafer], what do you think?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)