[jira] [Commented] (DIRSERVER-1857) Allow registration of an LdapsInitializer at the LdapServer

Fri, 14 Jun 2013 04:15:45 -0700 

    [ 
https://issues.apache.org/jira/browse/DIRSERVER-1857?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13683295#comment-13683295
 ] 

Achim Willems commented on DIRSERVER-1857:
------------------------------------------

I think it's not only a matter of setting the TrustManger. I'm not very 
familiar with Apache Mina, but isn't it also necessary to call 
setNeedClientAuth(true) on the sslFilter?

Another reason why it might be useful to use an interface to set up the SSL 
connection is, that one would be more flexible according to the type of key- 
and trust stores. The current implementation allows only file key stores, which 
are not always applicable. In our company for example, we often have to use 
hardware security modules which need special implementations of key and trust 
stores.
                
> Allow registration of an LdapsInitializer at the LdapServer
> -----------------------------------------------------------
>
>                 Key: DIRSERVER-1857
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-1857
>             Project: Directory ApacheDS
>          Issue Type: Improvement
>    Affects Versions: 2.0.0-M12
>            Reporter: Achim Willems
>
> Due to a BSI directive we need mutual authentication for SSL/TLS connections. 
> BSI (Bundesamt für Sicherheit in der Informationstechnik) is a german 
> governmental organization. This means, that we cannot ignore this directive.
> The current implementation of org.apache.directory.server.ldap.LdapServer 
> uses the static method 
> org.apache.directory.server.ldap.handlers.ssl.LdapsInitializer.init to 
> initialize the SSL communication.
> It would be helpful to have an LdapsInitializer interface with a default 
> implementation (i.e. the current implementation is the default) and the 
> possibility to register this interface at the LdapServer.
> We then could implement our own version of the initializer to establish the 
> necessary behaviour.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to