Hi Shawn, I added TLSv1.3 to the default protocols in [1]. There is an open issue for Mina [2] that describes timeouts when using v1.3, please see my comment there. When used in Studio I didn't encounter any issue in tests against OpenLDAP or 389ds, only when using it in ApacheDS, so I assumed it's only a server-side problem. But your observations proves that my assumption was wrong.
Which Java version are you using? I ask because I only tested with Java 11 and 17-ea, but not with Java 8. Otherwise I think you aren't doing anything wrong. Either continue with your workaround, or we need to revert that change in the LDAP API until the problem is fixed in Mina. Kind Regards, Stefan [1] https://issues.apache.org/jira/browse/DIRAPI-375 [2] https://issues.apache.org/jira/browse/DIRMINA-1132 On 7/3/21 7:26 PM, Shawn McKinney wrote: > Hello, > > A problem with Fortress using LDAPS in the API. It was brought on by this > commit: > > https://github.com/apache/directory-ldap-api/commit/4322886f8ed9fe0d2c588f0c557e92e4d160149f > > > ``` > public class LdapNetworkConnection > … > > // Default to TLS sslFilter.setEnabledProtocols( new String[] > - { "TLSv1", "TLSv1.1", "TLSv1.2" } ); > + { "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3" } ); > ``` > > That is when TLSv1.3 was added as a default enabled protocol in the API, > fortress started having LDAPS connections problems. > > Specifically, connections hang during bind ops, as they’re retrieved from the > pool. > > Looking at the server log, the bind was successful, but the API's async > handler (ignores?) times out. > > When I add this to the Fortress connection pool initialization: > > ``` > config.setEnabledProtocols( new String[] { "TLSv1", "TLSv1.1", "TLSv1.2" } ); > ``` > > Everything then works again as it should. In other words, when bypassing > TLSv1.3 on the client side, it works again. > > Not sure what’s going on, or if my workaround is the best way to handle this > situation. > > Any ideas on what I'm doing wrong? > > Thanks, > > — > Shawn > --------------------------------------------------------------------- > To unsubscribe, e-mail: api-unsubscr...@directory.apache.org > For additional commands, e-mail: api-h...@directory.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: api-unsubscr...@directory.apache.org For additional commands, e-mail: api-h...@directory.apache.org
