You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@directory.apache.org by "Alexander Kozlov (JIRA)" <ji...@apache.org> on 2014/10/16 19:12:33 UTC

[jira] [Commented] (DIRSERVER-2012) Replication ignores startTLS when ads-replStrictCertValidation is true

    [ https://issues.apache.org/jira/browse/DIRSERVER-2012?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14173966#comment-14173966 ] 

Alexander Kozlov commented on DIRSERVER-2012:
---------------------------------------------

instead of calling {code}
connection.startTls();
{code}
you should call {code}
connection.getConfig().setUseTls(true);
{code}
In that case TLS will be started in _LdapNetworkConnection.bindAsync()_.

> Replication ignores startTLS when ads-replStrictCertValidation is true
> ----------------------------------------------------------------------
>
>                 Key: DIRSERVER-2012
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-2012
>             Project: Directory ApacheDS
>          Issue Type: Bug
>          Components: ldap
>    Affects Versions: 2.0.0-M16
>            Reporter: Alexander Kozlov
>            Priority: Critical
>             Fix For: 2.0.0-M18
>
>
> *Precondition:*
> 1. Assume that replication server does not have valid certificate
> 2. Setup replication with _ads-replUseTls=true_ and _ads-replStrictCertValidation=true_
> *Expected result:*
> I think in that case connection should always fail!
> *Observed result:*
> The first connect to that server will really fails with InvalidConnectionException, but next time _ReplicationConsumerImpl_ will reconnect it will ignore _startTLS_ and it will successfully connected over TCP!
> Problem caused by _ReplicationConsumerImpl_ implementation:{code}
> if ( connection == null )
> {
>     connection = new LdapNetworkConnection( providerHost, port );
>     connection.setTimeOut( -1L );
>     connection.setSchemaManager( schemaManager );
>     
>     if ( config.isUseTls() )
>     {
>         connection.getConfig().setTrustManagers( config.getTrustManager() );
>         connection.startTls();
>     }
>     connection.addConnectionClosedEventListener( this );
> }
> // Try to connect
> if ( connection.connect() )
> {code}
> The first time _startTls()_ method fails, but on reconnect it's not called because _connection_ is not _null_.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)