directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alexander Kozlov (JIRA)" <>
Subject [jira] [Created] (DIRSERVER-2012) Replication ignores startTLS when ads-replStrictCertValidation is true
Date Thu, 16 Oct 2014 15:52:34 GMT
Alexander Kozlov created DIRSERVER-2012:

             Summary: Replication ignores startTLS when ads-replStrictCertValidation is true
                 Key: DIRSERVER-2012
             Project: Directory ApacheDS
          Issue Type: Bug
          Components: ldap
    Affects Versions: 2.0.0-M16
            Reporter: Alexander Kozlov
            Priority: Critical
             Fix For: 2.0.0-M18

1. Assume that replication server does not have valid certificate
2. Setup replication with _ads-replUseTls=true_ and _ads-replStrictCertValidation=true_

*Expected result:*
I think in that case connection should always fail!

*Observed result:*
The first connect to that server will really fails with InvalidConnectionException, but next
time _ReplicationConsumerImpl_ will reconnect it will ignore _startTLS_ and it will successfully
connected over TCP!

Problem caused by _ReplicationConsumerImpl_ implementation:{code}
if ( connection == null )
    connection = new LdapNetworkConnection( providerHost, port );
    connection.setTimeOut( -1L );
    connection.setSchemaManager( schemaManager );
    if ( config.isUseTls() )
        connection.getConfig().setTrustManagers( config.getTrustManager() );

    connection.addConnectionClosedEventListener( this );

// Try to connect
if ( connection.connect() )

The first time _startTls()_ method fails, but on reconnect it's not called because _connection_
is not _null_.

This message was sent by Atlassian JIRA

View raw message