[
https://issues.apache.org/jira/browse/DIRAPI-301?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Emmanuel Lecharny resolved DIRAPI-301.
--------------------------------------
Resolution: Fixed
Fix Version/s: 2.0.0.AM3
Fixed.
The default configuration now use the default {{TrustManager}}
> Ldaps connection trusts all certificates
> ----------------------------------------
>
> Key: DIRAPI-301
> URL: https://issues.apache.org/jira/browse/DIRAPI-301
> Project: Directory Client API
> Issue Type: Bug
> Affects Versions: 1.0.0
> Environment: Windows 10 & Ubuntu 14.04
> Reporter: Natan Abolafya
> Priority: Major
> Labels: security
> Fix For: 2.0.0.AM3
>
>
> Thankfully we had an integration test for this, otherwise this is a major
> security issue.
> This was working as expected on 1.0.0-RC2 but as soon as I bumped to 1.0.0,
> the test started failing. "Affects version" says there is no 1.0.0 btw, but
> Maven disagrees.
> I don't know about the raw APIs but this happens when
> `LdapConnectionTemplate` is used. Thankfully I was able to work around it by
> assigning Java's default TrustManager.
> LdapConnectionConfig config = new LdapConnectionConfig();
> ....
> TrustManagerFactory tmf =
> TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
> tmf.init((KeyStore) null);
> config.setTrustManagers(tmf.getTrustManagers());
> ...
> DefaultLdapConnectionFactory connectionFactory = new
> DefaultLdapConnectionFactory(config);
> return new LdapConnectionTemplate(new LdapConnectionPool(new
> ValidatingPoolableLdapConnectionFactory(connectionFactory))));
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
