On 1/11/19 11:09 AM, Emmanuel Lécharny wrote: > Hi guys, > > > I'm currently checking all the pending JIRAs, trying to evaluate those > that need to be closed in the coming release, those that are invalid, > and those that need to be postponed. > > While doing that, I see there are quite a few important ones related to > TLS and security checks that probably need to be addressed before we cut > a 2.0 GA (which means the next release with still be a milestone). > > Here are the JIRA I'm interested in, ordered accordingly to some release > roadmap (mine ;-) : > > To be fixed for the next milestone > ---------------------------------- > DIRAPI-69, API does not allow StartTLS hostname verification > DIRAPI-72, Provide a default TrustManager for hostname verification to > comply with RFC 2830 Section 3.6 > DIRAPI-298, Inconsistent SASL bind API : add the missing bindGssApi() > method > DIRAPI-299, Unable to change expired password unless logging in as admin.
I promised a mail regarding TLS some while ago but never wrote it. But that are the points. DIRAPI-301 you already fixed, so now the default JVM trust manager is just, thanks for that. The hostname verification should also be implemented, I agree. In Studio that is implemented [1] by using DefaultHostnameVerifier from Apache HTTP client library which is anyway included in Eclipse. This class does not exacly what is defined in the LDAP RFC but better than nothing. If we implement our own verifier in the LDAP API we can change it. [1] https://github.com/apache/directory-studio/blob/remove-jndi-provider-and-jndi-layer/plugins/connection.core/src/main/java/org/apache/directory/studio/connection/core/io/StudioTrustManager.java#L157 > To be fixed for 2.0GA > --------------------- > DIRAPI-136, Add the TLS closure alert support in the API > DIRAPI-149, LdapNetworkConnection should not create user-Threads > DIRAPI-202, Can't get LdapConnectionTemplate working > DIRAPI-237, Make the API threadsafe > DIRAPI-299, Unable to change expired password unless logging in as admin. > DIRAPI-300, Weird batchResponse when batchRequest contains grammar error > DIRAPI-320, ClassCastException on Objects.equals(Value,Value) for > userPassword attribute Sounds good. I don't plan beyond that :)
