You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Stefan Seelmann (JIRA)" <ji...@apache.org> on 2009/06/04 16:55:07 UTC
[jira] Created: (DIRSERVER-1373) Update of server certificate in
uid=admin,ou=system only takes effect after restart
Update of server certificate in uid=admin,ou=system only takes effect after restart
-----------------------------------------------------------------------------------
Key: DIRSERVER-1373
URL: https://issues.apache.org/jira/browse/DIRSERVER-1373
Project: Directory ApacheDS
Issue Type: Bug
Components: ldap
Affects Versions: 1.5.4
Reporter: Stefan Seelmann
Fix For: 1.5.5
When I update the privateKey, publicKey and userCertificate in uid=admin,ou=system and start a new StartTLS session, the server still uses the old certificate. After a restart the server uses the new certificate.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (DIRSERVER-1373) Update of server certificate in
uid=admin,ou=system only takes effect after restart
Posted by "Stefan Seelmann (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-1373?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Stefan Seelmann updated DIRSERVER-1373:
---------------------------------------
Attachment: (was: DIRSEVER-1373-LDAPS-Testcase.patch)
> Update of server certificate in uid=admin,ou=system only takes effect after restart
> -----------------------------------------------------------------------------------
>
> Key: DIRSERVER-1373
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1373
> Project: Directory ApacheDS
> Issue Type: Bug
> Components: ldap
> Affects Versions: 1.5.4
> Reporter: Stefan Seelmann
> Fix For: 1.5.5
>
> Attachments: DIRSEVER-1373-Testcases.patch
>
>
> When I update the privateKey, publicKey and userCertificate in uid=admin,ou=system and start a new StartTLS session, the server still uses the old certificate. After a restart the server uses the new certificate.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DIRSERVER-1373) Update of server certificate in
uid=admin,ou=system only takes effect after restart
Posted by "Kiran Ayyagari (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-1373?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12716855#action_12716855 ]
Kiran Ayyagari commented on DIRSERVER-1373:
-------------------------------------------
>> What happens to established SSL or StartTLS sessions when calling reloadSslContext? Are they killed or do they continue to use the old certificate?
Atm, the connections' are not blocked from reading and writing. I think we can achieve it by suspending read/write on all the sessions. Emmanuel, is this the right way to do from a MINA pov?
But another question is that what happens to an already existing SSL connection? wouldn't it fail because of the new certificate?
>> to reload the SSL context automatically when the certificate of uid=admin,ou=system gets updated
No clue at the moment how to do this in an efficient way, certainly any check put up in the interceptor would be a over kill IMHO.
> Update of server certificate in uid=admin,ou=system only takes effect after restart
> -----------------------------------------------------------------------------------
>
> Key: DIRSERVER-1373
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1373
> Project: Directory ApacheDS
> Issue Type: Bug
> Components: ldap
> Affects Versions: 1.5.4
> Reporter: Stefan Seelmann
> Fix For: 1.5.5
>
> Attachments: DIRSERVER-1373-testcases-UPDATED.patch, DIRSEVER-1373-Testcases.patch
>
>
> When I update the privateKey, publicKey and userCertificate in uid=admin,ou=system and start a new StartTLS session, the server still uses the old certificate. After a restart the server uses the new certificate.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (DIRSERVER-1373) Update of server certificate in
uid=admin,ou=system only takes effect after restart
Posted by "Kiran Ayyagari (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-1373?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kiran Ayyagari updated DIRSERVER-1373:
--------------------------------------
Priority: Minor (was: Major)
Fix Version/s: (was: 2.0.0-RC1)
2.1.1
Lowering priority and moving this issue to 2.1.1 , assuming in most cases the certificate won't be updated while the server is running
> Update of server certificate in uid=admin,ou=system only takes effect after restart
> -----------------------------------------------------------------------------------
>
> Key: DIRSERVER-1373
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1373
> Project: Directory ApacheDS
> Issue Type: Bug
> Components: ldap
> Affects Versions: 1.5.4
> Reporter: Stefan Seelmann
> Assignee: Kiran Ayyagari
> Priority: Minor
> Fix For: 2.1.1
>
> Attachments: DIRSERVER-1373-testcases-UPDATED.patch, DIRSEVER-1373-Testcases.patch
>
>
> When I update the privateKey, publicKey and userCertificate in uid=admin,ou=system and start a new StartTLS session, the server still uses the old certificate. After a restart the server uses the new certificate.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Assigned: (DIRSERVER-1373) Update of server certificate in
uid=admin,ou=system only takes effect after restart
Posted by "Kiran Ayyagari (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-1373?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kiran Ayyagari reassigned DIRSERVER-1373:
-----------------------------------------
Assignee: Kiran Ayyagari
> Update of server certificate in uid=admin,ou=system only takes effect after restart
> -----------------------------------------------------------------------------------
>
> Key: DIRSERVER-1373
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1373
> Project: Directory ApacheDS
> Issue Type: Bug
> Components: ldap
> Affects Versions: 1.5.4
> Reporter: Stefan Seelmann
> Assignee: Kiran Ayyagari
> Fix For: 2.0.0-RC1
>
> Attachments: DIRSERVER-1373-testcases-UPDATED.patch, DIRSEVER-1373-Testcases.patch
>
>
> When I update the privateKey, publicKey and userCertificate in uid=admin,ou=system and start a new StartTLS session, the server still uses the old certificate. After a restart the server uses the new certificate.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (DIRSERVER-1373) Update of server certificate in
uid=admin,ou=system only takes effect after restart
Posted by "Emmanuel Lecharny (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-1373?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Emmanuel Lecharny updated DIRSERVER-1373:
-----------------------------------------
Fix Version/s: (was: 1.5.5)
2.0.0-RC1
Postponed to 2.0.0-RC1
> Update of server certificate in uid=admin,ou=system only takes effect after restart
> -----------------------------------------------------------------------------------
>
> Key: DIRSERVER-1373
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1373
> Project: Directory ApacheDS
> Issue Type: Bug
> Components: ldap
> Affects Versions: 1.5.4
> Reporter: Stefan Seelmann
> Fix For: 2.0.0-RC1
>
> Attachments: DIRSERVER-1373-testcases-UPDATED.patch, DIRSEVER-1373-Testcases.patch
>
>
> When I update the privateKey, publicKey and userCertificate in uid=admin,ou=system and start a new StartTLS session, the server still uses the old certificate. After a restart the server uses the new certificate.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DIRSERVER-1373) Update of server certificate in
uid=admin,ou=system only takes effect after restart
Posted by "Stefan Seelmann (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-1373?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12716631#action_12716631 ]
Stefan Seelmann commented on DIRSERVER-1373:
--------------------------------------------
Thanks Kiran for the patch. I seems to work, I'll continue to play with it, as I want to add some more certificate tests to studio.
I only have a minor problem running the server's integration tests. I think the cause is that if a previous test injected a new certificate and a later test expects the previous certificate. I solved it by calling ldapService.reloadSslContext() in the @Before method.
In the end it would be cool to reload the SSL context automatically when the certificate of uid=admin,ou=system gets updated. However when using the changLog feature (i.e. in integration tests) the DirectoryService.revert() operation must make sure to reload the SSL context if the certificate is updated.
And a last question: What happens to established SSL or StartTLS sessions when calling reloadSslContext? Are they killed or do they continue to use the old certificate?
> Update of server certificate in uid=admin,ou=system only takes effect after restart
> -----------------------------------------------------------------------------------
>
> Key: DIRSERVER-1373
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1373
> Project: Directory ApacheDS
> Issue Type: Bug
> Components: ldap
> Affects Versions: 1.5.4
> Reporter: Stefan Seelmann
> Fix For: 1.5.5
>
> Attachments: DIRSERVER-1373-testcases-UPDATED.patch, DIRSEVER-1373-Testcases.patch
>
>
> When I update the privateKey, publicKey and userCertificate in uid=admin,ou=system and start a new StartTLS session, the server still uses the old certificate. After a restart the server uses the new certificate.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DIRSERVER-1373) Update of server certificate in
uid=admin,ou=system only takes effect after restart
Posted by "Stefan Seelmann (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-1373?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12716865#action_12716865 ]
Stefan Seelmann commented on DIRSERVER-1373:
--------------------------------------------
I created a lot of tests for Studio, your patch works great. Thanks Kiran.
Regarding automatic update: I think it is not too expensive to check if the modified entry is "uid=admin,ou=system". Such checks exist in many other interceptors.
> Update of server certificate in uid=admin,ou=system only takes effect after restart
> -----------------------------------------------------------------------------------
>
> Key: DIRSERVER-1373
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1373
> Project: Directory ApacheDS
> Issue Type: Bug
> Components: ldap
> Affects Versions: 1.5.4
> Reporter: Stefan Seelmann
> Fix For: 1.5.5
>
> Attachments: DIRSERVER-1373-testcases-UPDATED.patch, DIRSEVER-1373-Testcases.patch
>
>
> When I update the privateKey, publicKey and userCertificate in uid=admin,ou=system and start a new StartTLS session, the server still uses the old certificate. After a restart the server uses the new certificate.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (DIRSERVER-1373) Update of server certificate in
uid=admin,ou=system only takes effect after restart
Posted by "Stefan Seelmann (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-1373?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Stefan Seelmann updated DIRSERVER-1373:
---------------------------------------
Attachment: DIRSEVER-1373-LDAPS-Testcase.patch
Attached a test when using ldaps://, a test for StartTLS will follow...
> Update of server certificate in uid=admin,ou=system only takes effect after restart
> -----------------------------------------------------------------------------------
>
> Key: DIRSERVER-1373
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1373
> Project: Directory ApacheDS
> Issue Type: Bug
> Components: ldap
> Affects Versions: 1.5.4
> Reporter: Stefan Seelmann
> Fix For: 1.5.5
>
> Attachments: DIRSEVER-1373-LDAPS-Testcase.patch
>
>
> When I update the privateKey, publicKey and userCertificate in uid=admin,ou=system and start a new StartTLS session, the server still uses the old certificate. After a restart the server uses the new certificate.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (DIRSERVER-1373) Update of server certificate in
uid=admin,ou=system only takes effect after restart
Posted by "Stefan Seelmann (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-1373?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Stefan Seelmann updated DIRSERVER-1373:
---------------------------------------
Attachment: DIRSEVER-1373-Testcases.patch
Testcases for ldaps:// and StartTLS, including a nasty hack to access the received certificate.
> Update of server certificate in uid=admin,ou=system only takes effect after restart
> -----------------------------------------------------------------------------------
>
> Key: DIRSERVER-1373
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1373
> Project: Directory ApacheDS
> Issue Type: Bug
> Components: ldap
> Affects Versions: 1.5.4
> Reporter: Stefan Seelmann
> Fix For: 1.5.5
>
> Attachments: DIRSEVER-1373-Testcases.patch
>
>
> When I update the privateKey, publicKey and userCertificate in uid=admin,ou=system and start a new StartTLS session, the server still uses the old certificate. After a restart the server uses the new certificate.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (DIRSERVER-1373) Update of server certificate in
uid=admin,ou=system only takes effect after restart
Posted by "Kiran Ayyagari (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-1373?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kiran Ayyagari updated DIRSERVER-1373:
--------------------------------------
Attachment: DIRSERVER-1373-testcases-UPDATED.patch
Attached patch includes a fix to reload the keystore and ssl context. IMO the StartTlsHandler's code requires a cleanup cause it has the same code which LdapService uses to create sslcontext.
If the fix is acceptable then I propose to create an extended operation to reload the sslcontext with the updated digital certificate.
Seelmann, this patch includes the original patch's contents also.
> Update of server certificate in uid=admin,ou=system only takes effect after restart
> -----------------------------------------------------------------------------------
>
> Key: DIRSERVER-1373
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1373
> Project: Directory ApacheDS
> Issue Type: Bug
> Components: ldap
> Affects Versions: 1.5.4
> Reporter: Stefan Seelmann
> Fix For: 1.5.5
>
> Attachments: DIRSERVER-1373-testcases-UPDATED.patch, DIRSEVER-1373-Testcases.patch
>
>
> When I update the privateKey, publicKey and userCertificate in uid=admin,ou=system and start a new StartTLS session, the server still uses the old certificate. After a restart the server uses the new certificate.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DIRSERVER-1373) Update of server certificate in
uid=admin,ou=system only takes effect after restart
Posted by "Kiran Ayyagari (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-1373?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12745114#action_12745114 ]
Kiran Ayyagari commented on DIRSERVER-1373:
-------------------------------------------
Patch has been applied for reloading the SSL context
http://svn.apache.org/viewvc?rev=805871&view=rev
We need to address two things (above raised by Seelmann)
1. What happens to established SSL or StartTLS sessions when calling reloadSslContext? Are they killed or do they continue to use the old certificate?
2. Reloading the SSL context automatically when the certificate of uid=admin,ou=system gets updated
> Update of server certificate in uid=admin,ou=system only takes effect after restart
> -----------------------------------------------------------------------------------
>
> Key: DIRSERVER-1373
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1373
> Project: Directory ApacheDS
> Issue Type: Bug
> Components: ldap
> Affects Versions: 1.5.4
> Reporter: Stefan Seelmann
> Fix For: 2.0.0-RC1
>
> Attachments: DIRSERVER-1373-testcases-UPDATED.patch, DIRSEVER-1373-Testcases.patch
>
>
> When I update the privateKey, publicKey and userCertificate in uid=admin,ou=system and start a new StartTLS session, the server still uses the old certificate. After a restart the server uses the new certificate.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.