You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Daniel Fisher (Created) (JIRA)" <ji...@apache.org> on 2012/01/23 21:37:40 UTC
[jira] [Created] (DIRAPI-69) startTLS hostname verification
startTLS hostname verification
------------------------------
Key: DIRAPI-69
URL: https://issues.apache.org/jira/browse/DIRAPI-69
Project: Directory Client API
Issue Type: Improvement
Reporter: Daniel Fisher
The current API does not have any features for controlling hostname verification. In addition, it appears that *no* hostname verification occurs by default. See RFC 2830 section 3.6
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (DIRAPI-69) startTLS hostname verification
Posted by "Daniel Fisher (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRAPI-69?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13192185#comment-13192185 ]
Daniel Fisher commented on DIRAPI-69:
-------------------------------------
I have not. Admittedly I was looking for something that uses HostnameVerifier. I'll try using an X509TrustManager and report back.
> startTLS hostname verification
> ------------------------------
>
> Key: DIRAPI-69
> URL: https://issues.apache.org/jira/browse/DIRAPI-69
> Project: Directory Client API
> Issue Type: Improvement
> Reporter: Daniel Fisher
>
> The current API does not have any features for controlling hostname verification. In addition, it appears that *no* hostname verification occurs by default. See RFC 2830 section 3.6
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (DIRAPI-69) startTLS hostname verification
Posted by "Daniel Fisher (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRAPI-69?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13197201#comment-13197201 ]
Daniel Fisher commented on DIRAPI-69:
-------------------------------------
I was able to get the functionality I wanted with the current API (M9). Namely, I wanted both the default certificate trust manager and a hostname verification trust manager. Configuring multiple trust managers is made more difficult due to the fact that SSLContext#init() accepts an array, but only uses the first entry in the array. So in addition to coding a custom trust manager you also have to code a trust manager that effectively wraps and delegates to all the trust managers you want to use. Nevertheless, it's possible so you can resolve this issue.
I do think it's worth noting that no hostname verification occurs by default for startTLS and this is a violation of RFC 2830 section 3.6. You may want to consider adding a trust manager to conform.
> startTLS hostname verification
> ------------------------------
>
> Key: DIRAPI-69
> URL: https://issues.apache.org/jira/browse/DIRAPI-69
> Project: Directory Client API
> Issue Type: Improvement
> Reporter: Daniel Fisher
>
> The current API does not have any features for controlling hostname verification. In addition, it appears that *no* hostname verification occurs by default. See RFC 2830 section 3.6
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (DIRAPI-69) API does not allow StartTLS hostname
verification
Posted by "Emmanuel Lecharny (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRAPI-69?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Emmanuel Lecharny updated DIRAPI-69:
------------------------------------
Fix Version/s: (was: 1.0.0-M12)
1.0.0-M13
> API does not allow StartTLS hostname verification
> -------------------------------------------------
>
> Key: DIRAPI-69
> URL: https://issues.apache.org/jira/browse/DIRAPI-69
> Project: Directory Client API
> Issue Type: Improvement
> Affects Versions: 1.0.0-M9
> Reporter: Daniel Fisher
> Assignee: Pierre-Arnaud Marcelot
> Fix For: 1.0.0-M13
>
>
> The current API does not have any features for controlling hostname verification. In addition, it appears that *no* hostname verification occurs by default. See RFC 2830 section 3.6
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (DIRAPI-69) startTLS hostname verification
Posted by "Pierre-Arnaud Marcelot (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRAPI-69?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13191977#comment-13191977 ]
Pierre-Arnaud Marcelot commented on DIRAPI-69:
----------------------------------------------
Hi Daniel,
Have you tried implementing a javax.net.ssl.X509TrustManager and assigning it to the org.apache.directory.ldap.client.api.LdapConnectionConfig.setTrustManagers(TrustManager...) method?
I know it's working when accessing the servers using LDAPS but I'm not sure it's used during the StartTLS operation though.
FYI, we provide a default implementation org.apache.directory.ldap.client.api.NoVerificationTrustManager which trusts the given certificates without verifying them (and logs as debug the received certificates)
> startTLS hostname verification
> ------------------------------
>
> Key: DIRAPI-69
> URL: https://issues.apache.org/jira/browse/DIRAPI-69
> Project: Directory Client API
> Issue Type: Improvement
> Reporter: Daniel Fisher
>
> The current API does not have any features for controlling hostname verification. In addition, it appears that *no* hostname verification occurs by default. See RFC 2830 section 3.6
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (DIRAPI-69) API does not allow StartTLS hostname
verification
Posted by "Pierre-Arnaud Marcelot (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRAPI-69?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Pierre-Arnaud Marcelot updated DIRAPI-69:
-----------------------------------------
Affects Version/s: 1.0.0-M9
Assignee: Pierre-Arnaud Marcelot
Summary: API does not allow StartTLS hostname verification (was: startTLS hostname verification)
> API does not allow StartTLS hostname verification
> -------------------------------------------------
>
> Key: DIRAPI-69
> URL: https://issues.apache.org/jira/browse/DIRAPI-69
> Project: Directory Client API
> Issue Type: Improvement
> Affects Versions: 1.0.0-M9
> Reporter: Daniel Fisher
> Assignee: Pierre-Arnaud Marcelot
>
> The current API does not have any features for controlling hostname verification. In addition, it appears that *no* hostname verification occurs by default. See RFC 2830 section 3.6
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (DIRAPI-69) API does not allow StartTLS hostname
verification
Posted by "Emmanuel Lecharny (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRAPI-69?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Emmanuel Lecharny updated DIRAPI-69:
------------------------------------
Fix Version/s: (was: 1.0.0-M13)
1.0.0-M14
> API does not allow StartTLS hostname verification
> -------------------------------------------------
>
> Key: DIRAPI-69
> URL: https://issues.apache.org/jira/browse/DIRAPI-69
> Project: Directory Client API
> Issue Type: Improvement
> Affects Versions: 1.0.0-M9
> Reporter: Daniel Fisher
> Assignee: Pierre-Arnaud Marcelot
> Fix For: 1.0.0-M14
>
>
> The current API does not have any features for controlling hostname verification. In addition, it appears that *no* hostname verification occurs by default. See RFC 2830 section 3.6
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (DIRAPI-69) API does not allow StartTLS hostname
verification
Posted by "Emmanuel Lecharny (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRAPI-69?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Emmanuel Lecharny updated DIRAPI-69:
------------------------------------
Fix Version/s: 1.0.0-M11
> API does not allow StartTLS hostname verification
> -------------------------------------------------
>
> Key: DIRAPI-69
> URL: https://issues.apache.org/jira/browse/DIRAPI-69
> Project: Directory Client API
> Issue Type: Improvement
> Affects Versions: 1.0.0-M9
> Reporter: Daniel Fisher
> Assignee: Pierre-Arnaud Marcelot
> Fix For: 1.0.0-M11
>
>
> The current API does not have any features for controlling hostname verification. In addition, it appears that *no* hostname verification occurs by default. See RFC 2830 section 3.6
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (DIRAPI-69) API does not allow StartTLS hostname
verification
Posted by "Pierre-Arnaud Marcelot (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRAPI-69?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13197732#comment-13197732 ]
Pierre-Arnaud Marcelot commented on DIRAPI-69:
----------------------------------------------
Hi Daniel,
Thanks for trying out.
I opened a separate issue for the default hostname verification error - DIRAPI-72 (Provide a default TrustManager for hostname verification to comply with RFC 2830 Section 3.6).
Any chance you'd like to contribute your hostname verification trust manager to that issue?
Thanks!
> API does not allow StartTLS hostname verification
> -------------------------------------------------
>
> Key: DIRAPI-69
> URL: https://issues.apache.org/jira/browse/DIRAPI-69
> Project: Directory Client API
> Issue Type: Improvement
> Affects Versions: 1.0.0-M9
> Reporter: Daniel Fisher
> Assignee: Pierre-Arnaud Marcelot
>
> The current API does not have any features for controlling hostname verification. In addition, it appears that *no* hostname verification occurs by default. See RFC 2830 section 3.6
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira