[ 
https://issues.apache.org/jira/browse/DIRAPI-227?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15503210#comment-15503210
 ] 

Emmanuel Lecharny commented on DIRAPI-227:
------------------------------------------

Ok, it seems that when the SSL Handshake fails, the session is not deleted, 
then every message being sent is in clear. This is a bug in MINA (DIRMINA-1044) 
that should be fixed in the next version.

As soon as we have a MINA release, we will use it in the LDAP API.

> Bind user dn and password sent in clear after receiving PROTOCOL_ERROR during 
> ldaps connection
> ----------------------------------------------------------------------------------------------
>
>                 Key: DIRAPI-227
>                 URL: https://issues.apache.org/jira/browse/DIRAPI-227
>             Project: Directory Client API
>          Issue Type: Bug
>    Affects Versions: 1.0.0-M28
>            Reporter: Scott Tustison
>
> I was attempting to use M28 and was having issues getting LDAPS to work 
> (startTLS appeared to work just fine). After several repeated bind and unbind 
> operations, the LDAPS connection would eventually fail with a PROTOCOL_ERROR 
> and never bind again. However, when it was attempting to bind after receiving 
> that error, it would then send the bind user and password in the clear. This 
> was confirmed by looking in the LDAP server logs and also by Wireshark.
> I ran with debug turned on and this is what it receives during a failure 
> (which is after a long string of successes, by the way). I omitted my 
> project's code from the trace for clarity:
> 14:53:55,447 | DEBUG | tp1920834220-484 | 
> ry.ldap.client.api.LdapNetworkConnection 1028 | ts-ldapclaimshandler | Bind 
> request
> 14:53:55,450 | DEBUG | tp1920834220-484 | 
> ry.ldap.client.api.LdapNetworkConnection 1270 | ts-ldapclaimshandler | 
> Sending request 
> MessageType : BIND_REQUEST
> Message ID : 1
>     BindRequest
>         Version : '3'
>         Name : 'cn=admin'
>         Simple authentication : '(omitted-for-safety)'
> 14:53:55,450 | DEBUG | tp1920834220-484 | 
> ry.ldap.client.api.LdapNetworkConnection  280 | ts-ldapclaimshandler | Adding 
> <1, org.apache.directory.ldap.client.api.future.BindFuture>
> 14:53:55,654 | DEBUG | NioProcessor-3   | 
> .ldap.client.api.LdapNetworkConnection$1  660 | ts-ldapclaimshandler | 
> received a NoD, closing everything
> 14:53:55,654 | DEBUG | NioProcessor-3   | 
> .ldap.client.api.LdapNetworkConnection$1  665 | ts-ldapclaimshandler | 
> closing BindFuture[msgId : 1, size : 0, Canceled :false]
> 14:53:55,656 | DEBUG | tp1920834220-484 | 
> ry.ldap.client.api.LdapNetworkConnection 1201 | ts-ldapclaimshandler | Bind 
> failed : MessageType : BIND_RESPONSE
> Message ID : -1
>     BindResponse
>         Ldap Result
>             Result code : (PROTOCOL_ERROR) protocolError
>             Matched Dn : 'null'
>             Diagnostic message : 'PROTOCOL_ERROR: The server will disconnect!'
> 14:53:55,656 | ERROR | tp1920834220-484 | 
> rity.sts.claimsHandler.RoleClaimsHandler  238 | ts-ldapclaimshandler | Unable 
> to set role claims.
> org.apache.directory.api.ldap.model.exception.LdapProtocolErrorException: 
> PROTOCOL_ERROR: The server will disconnect!
>       at 
> org.apache.directory.api.ldap.model.message.ResultCodeEnum.processResponse(ResultCodeEnum.java:2163)
>       at 
> org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1035)



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to