You are viewing a plain text version of this content. The canonical link for it is here.

Posted to oak-commits@jackrabbit.apache.org by tr...@apache.org on 2015/06/08 23:50:52 UTC

svn commit: r1684287 - /jackrabbit/oak/trunk/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProvider.java

Author: tripod
Date: Mon Jun  8 21:50:52 2015
New Revision: 1684287

URL: http://svn.apache.org/r1684287
Log:
OAK-2951 Regression: SSL errors with latest ldap client

Modified:
    jackrabbit/oak/trunk/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProvider.java

Modified: jackrabbit/oak/trunk/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProvider.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProvider.java?rev=1684287&r1=1684286&r2=1684287&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProvider.java (original)
+++ jackrabbit/oak/trunk/oak-auth-ldap/src/main/java/org/apache/jackrabbit/oak/security/authentication/ldap/impl/LdapIdentityProvider.java Mon Jun  8 21:50:52 2015
@@ -16,6 +16,7 @@
  */
 package org.apache.jackrabbit.oak.security.authentication.ldap.impl;
 
+import java.security.NoSuchAlgorithmException;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.Iterator;
@@ -28,6 +29,7 @@ import javax.annotation.Nonnull;
 import javax.annotation.Nullable;
 import javax.jcr.Credentials;
 import javax.jcr.SimpleCredentials;
+import javax.net.ssl.SSLContext;
 import javax.security.auth.login.LoginException;
 
 import org.apache.commons.pool.impl.GenericObjectPool;
@@ -116,6 +118,10 @@ public class LdapIdentityProvider implem
      */
     private PoolableUnboundConnectionFactory userConnectionFactory;
 
+    /**
+     * SSL protocols (initialized on init)
+     */
+    private String[] enabledSSLProtocols;
 
     /**
      * Default constructor for OSGi
@@ -480,6 +486,15 @@ public class LdapIdentityProvider implem
             throw new IllegalStateException("Provider already initialized.");
         }
 
+        // make sure the JVM supports the TLSv1.1
+        try {
+            enabledSSLProtocols = null;
+            SSLContext.getInstance("TLSv1.1");
+        } catch (NoSuchAlgorithmException e) {
+            log.warn("JDK does not support TLSv1.1. Disabling it.");
+            enabledSSLProtocols = new String[]{"TLSv1"};
+        }
+
         // setup admin connection pool
         LdapConnectionConfig cc = createConnectionConfig();
         String bindDN = config.getBindDN();
@@ -535,6 +550,11 @@ public class LdapIdentityProvider implem
         if (config.noCertCheck()) {
             cc.setTrustManagers(new NoVerificationTrustManager());
         }
+
+        if (enabledSSLProtocols != null) {
+            cc.setEnabledProtocols(enabledSSLProtocols);
+        }
+
         return cc;
     }