directory-api mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <elecha...@gmail.com>
Subject Re: Problem using TLS or SSL to establish a secure binding
Date Wed, 25 Mar 2015 09:53:53 GMT
Le 25/03/15 09:49, Karim Hosny a écrit :
> Same error, it ignores the setSslProtocol method completely and the error message shows
up for TLSv1.1
Ahhh, I know what's wrong. We define the list of supported protocols :

            // Be sure we disable SSLV3
            sslFilter.setEnabledProtocols( new String[]
                { "TLSv1", "TLSv1.1", "TLSv1.2" } );

and this list is used to initialize the SslEngine. It's likely not to be
accepted when running with Java 6...

Any reason you have to run your code with Java 6, which is EOL since
february 2013 ? TLSv1 is proven to be broken, and you should *never* use
it, and as it's the highest supported protocol in Java 6, that would put
your client in high risk...

Anyway, I'm going to patch the API to allow users to define the list of
protocols to use. Here is the patch if you want to apply it to the code
base on your own :

Index:
ldap/client/api/src/main/java/org/apache/directory/ldap/client/api/LdapConnectionConfig.java
===================================================================
---
ldap/client/api/src/main/java/org/apache/directory/ldap/client/api/LdapConnectionConfig.java
  
(revision 1667210)
+++
ldap/client/api/src/main/java/org/apache/directory/ldap/client/api/LdapConnectionConfig.java
  
(working copy)
@@ -99,6 +99,9 @@
     /** an array of cipher suites which are enabled, if set, will be
used while initializing the SSL context */
     private String[] enabledCipherSuites;
 
+    /** an array of protocols which are enabled, if set, will be used
while initializing the SSL context */
+    private String[] enabledProtocols;
+
     /** name of the protocol used for creating SSL context, default
value is "TLS" */
     private String sslProtocol = DEFAULT_SSL_PROTOCOL;
 
@@ -452,6 +455,28 @@
 
 
     /**
+     * Gets the protocols which are enabled.
+     *
+     * @return the protocol which are enabled
+     */
+    public String[] getEnabledProtocols()
+    {
+        return enabledProtocols;
+    }
+
+
+    /**
+     * Sets the protocols which are enabled
+     *
+     * @param enabledProtocols the protocols which are enabled
+     */
+    public void setEnabledProtocols( String... enabledProtocols )
+    {
+        this.enabledProtocols = enabledProtocols;
+    }
+
+
+    /**
      * @return the binaryAttributeDetector
      */
     public BinaryAttributeDetector getBinaryAttributeDetector()
Index:
ldap/client/api/src/main/java/org/apache/directory/ldap/client/api/LdapNetworkConnection.java
===================================================================
---
ldap/client/api/src/main/java/org/apache/directory/ldap/client/api/LdapNetworkConnection.java
  
(revision 1667210)
+++
ldap/client/api/src/main/java/org/apache/directory/ldap/client/api/LdapNetworkConnection.java
  
(working copy)
@@ -3827,12 +3827,29 @@
 
             SslFilter sslFilter = new SslFilter( sslContext, true );
             sslFilter.setUseClientMode( true );
-            sslFilter.setEnabledCipherSuites(
config.getEnabledCipherSuites() );
 
+            // Configure the enabled cipher lists
+            String[] enabledCipherSuite = config.getEnabledCipherSuites();
+
+            if ( ( enabledCipherSuite != null ) && (
enabledCipherSuite.length != 0 ) )
+            {
+                sslFilter.setEnabledCipherSuites( enabledCipherSuite );
+            }
+
             // Be sure we disable SSLV3
-            sslFilter.setEnabledProtocols( new String[]
-                { "TLSv1", "TLSv1.1", "TLSv1.2" } );
+            String[] enabledProtocols = config.getEnabledProtocols();
 
+            if ( ( enabledProtocols != null ) && (
enabledProtocols.length != 0 ) )
+            {
+                sslFilter.setEnabledProtocols( enabledProtocols );
+            }
+            else
+            {
+                // Default to TLS
+                sslFilter.setEnabledProtocols( new String[]
+                    { "TLSv1", "TLSv1.1", "TLSv1.2" } );
+            }
+
             // for LDAPS
             if ( ldapSession == null )
             {




Mime
View raw message