[
https://issues.apache.org/jira/browse/DIRSTUDIO-263?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Stefan Seelmann updated DIRSTUDIO-263:
--------------------------------------
Fix Version/s: 1.5.0
Basic certificate validation is implemented: First the default JVM validation
is called (which uses the <JAVA_HOME>/lib/security/cacerts keystore by
default). If the verification fails the user is asked if s/he wants to trust
the certificate. It works with Sun 5 and 6, JRockit 6 and IBM 5. There are
problems with Harmony and IBM 6 (which is based on Harmony), seems like Harmony
hasn't implemented StartTLS yet, I have to investigate.
The next steps are:
* Show the certificate details to the user. I'd suggest to create a certificate
dialog that shows the certificate and the chain, like in Firefox. We could
reuse this a dialog for a certificate and certificate list value editor. Such a
dialog already exists in Eclipse, it pops up if you install a new plugin and
the plugin isn't signed from a known CA. Unfortunately this dialog is only
internal and not accessible from outside.
* Allow permanent trust of a certificate. Therefor we need to create a custom
keystore and put permanent trusted certificate chains into it. A preference
page to manage these certificates would also be helpful, e.g. if the user added
accidentially a certificate and wants to remove it.
* Enable hostname verification. This is quite tricky, see Marius' comment.
- For ldaps:// JNDI doesn't verify hostnames at all. The solution shown by
Marius (see the link above) seems to work, however the class "HostnameChecker"
is a Sun JDK specific class in package "sun.security.util.HostnameChecker".
- For StartTLS JNDI verifies hostnames by default. However if the
verification fails, the connection is closed. But we should ask the user if
s/he wants to trust the certificate anyway.
- Looks like we need a custom hostname checker. But that is quite complex
because we have to deal with IPv4 and IP46 addresses, hostnames, wildcards; the
hostname could be the cn or one of the subject alias, etc.
* An additional step would be to implement SASL EXTERNAL authentication using a
client certificate.
> Add certificate validation for ldaps and StartTLS
> -------------------------------------------------
>
> Key: DIRSTUDIO-263
> URL: https://issues.apache.org/jira/browse/DIRSTUDIO-263
> Project: Directory Studio
> Issue Type: Improvement
> Components: studio-connection
> Reporter: Stefan Seelmann
> Assignee: Stefan Seelmann
> Priority: Minor
> Fix For: 1.5.0
>
>
> We have encrypted connections using ldaps:// or the StartTLS extended
> operation, but the certificate isn't validated as we always use a
> DummySSLSocketFactory.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
