Hello Aleks,
I mean “com.sun.jndi.ldap.connect.timeout” property.
The positive value forces to start TLS handshake and wait for it completion
during the connectTimeout milliseconds:
Connection.java
>> if (connectTimeout > 0) {
>> int socketTimeout = sslSocket.getSoTimeout();
>> sslSocket.setSoTimeout(connectTimeout); // reuse full timeout value
>> sslSocket.startHandshake();
>> sslSocket.setSoTimeout(socketTimeout);
>> }
Without this property handshake is started later asynchronously.
As result
>> certs = ssock.getSession().getPeerCertificates();
in the LdapClient.java could return SSLPeerUnverifiedException().
This exception will be wrapped to NamingException and thrown to application.
This is not usually happens but I saw it on the slow connection
Alexey
> On 27 May 2020, at 16:13, Aleks Efimov <aleksej.efi...@oracle.com> wrote:
>
> Hi Alexey,
>
> I have question about timeouts:
> LdapCtx has 2 timeout properties: connectTimeout and readTimeout.
> First one is for controlling the Socket::connect timeout
> (Connection::createSocket), another - for reading out the replies
> (Connection::readReply).
> Both of them have default values set to '-1' which means that the LDAP stack
> would not set any timeouts for connect and/or reading operations.
>
> Could you, please, share the failures you're observing with no connect
> timeout set?
>
> Best,
> Aleksei
>
> On 27/05/2020 11:48, Alexey Bakhtin wrote:
>> Hello Bernd,
>>
>>> On 27 May 2020, at 13:12, Bernd Eckenfels <e...@zusammenkunft.net> wrote:
>>>
>>> LdapCtxt:
>>> 2568 /**
>>> 2569 * Sets the read timeout value
>>> 2570 */
>>> 2571 private void setChannelBindingType(String cbTypeProp) {
>>
>> Thank you. This is misprint. Should be “Sets the channel binding type”
>> About timeout - Yes. It is required. Otherwise, LdapClient does not wait for
>> TLS handshake completion and we can not get TLS server certificate before
>> Channel Binding data is populated.
>> Actually, we can force to wait for handshake completion but what timeout
>> should be set in this case.
>> As mentioned by Danial, information about new property and timeout should be
>> documented in the release notes.
>> For the TlsChannelBindingType.TLS_SERVER_END_POINT_COMPAT type name, I do
>> not think it is good approach. If you think different servers could accept
>> different address types for the same Channel Binding type, It would be
>> better to introduce separate boolean compatibility property like
>> “com.sun.security.sasl.addrtype.compat”. In this case it would be applied
>> not only for tls-server-end-point but for any provided Channel Bindings
>>
>>
>>> Not sure if that javadoc is the right one? And I also wonder if enforcing
>>> the timeout is needed, and if yes if it should be documented why. Was not
>>> obvious to me,
>>>
>>> what about having two type names
>>> (TlsChannelBindingType.TLS_SERVER_END_POINT and
>>> TlsChannelBindingType.TLS_SERVER_END_POINT_COMPAT?)
>>>
>>> This could be configured as a SASL property and it would add the benefit
>>> that you don't need the instance specific if in the gssstub native code if
>>> you instead have two different types values?
>>>
>>> Gruss
>>> Bernd
>>>
>>> Von: security-dev <security-dev-boun...@openjdk.java.net> im Auftrag von
>>> Alexey Bakhtin <ale...@azul.com>
>>> Gesendet: Mittwoch, Mai 27, 2020 11:43 AM
>>> An: Valerie Peng
>>> Cc: security-...@openjdk.java.net; core-libs-dev@openjdk.java.net; Thomas
>>> Maslen
>>> Betreff: Re: RFR: 8245527: LDAP Cnannel Binding support for Java
>>> GSS/Kerberos
>>>
>>> Hello Valerie, Unfortunately, Windows LDAP server with
>>> LdapEnforceChannelBinding=2 does not accept GSS_C_AF_NULLADDR address type.
>>> This is exact reason of these changes. I� ve tried to fix inconsistency of
>>> address type value in the latest webrev:
>>> http://cr.openjdk.java.net/~abakhtin/8245527/webrev.v2/
