You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-issues@jackrabbit.apache.org by "Miroslav Smiljanic (Jira)" <ji...@apache.org> on 2021/06/03 14:54:06 UTC
[jira] [Closed] (OAK-9442) LDAPIdentityProvider: avoid usage of
week SSL/TLS protocol
[ https://issues.apache.org/jira/browse/OAK-9442?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Miroslav Smiljanic closed OAK-9442.
-----------------------------------
> LDAPIdentityProvider: avoid usage of week SSL/TLS protocol
> ----------------------------------------------------------
>
> Key: OAK-9442
> URL: https://issues.apache.org/jira/browse/OAK-9442
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: auth-ldap
> Reporter: Angela Schreiber
> Priority: Major
> Fix For: 1.40.0
>
> Attachments: OAK-9442.patch
>
>
> sonar issues a warning regarding usage of week SSL/TLS protocols the following code in {{LDAPIdentityProvider}}:
> {code}
> // make sure the JVM supports the TLSv1.1
> try {
> enabledSSLProtocols = null;
> SSLContext.getInstance("TLSv1.1");
> } catch (NoSuchAlgorithmException e) {
> log.warn("JDK does not support TLSv1.1. Disabling it.");
> enabledSSLProtocols = new String[]{"TLSv1"};
> }
> {code}
> This code has been introduced with OAK-2951 (Regression: SSL errors with latest ldap client). My preference for addressing this would be to drop the try/catch altogether and replace with an optional configuration option that allows to explicitly defined protocols to be enabled on the {{LDAPConnectionConfiguration}}.
> The downside of this approach: current usage of the oak-auth-ldap that relied on having an automatic fallback to TLSv1 installed would no longer work. However, I am not sure how big that risk is, given that TLSv1.2 is required to be supported since java 9 (https://docs.oracle.com/javase/9/docs/api/javax/net/ssl/SSLContext.html)
> [~chaotic], [~insuafer], what do you think?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)