[
https://issues.apache.org/jira/browse/DIRAPI-69?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17123958#comment-17123958
]
Natan Abolafya commented on DIRAPI-69:
--------------------------------------
Well, just realized that I had the hostname already while creating
LdapConnectionConfig object. So creating a specific TrustManager for that and
verifying the hostname should do fine. But if there is any better way to do it,
please let me know.
{color:#000000}TrustManagerFactory tmf {color}=
{color:#000000}TrustManagerFactory{color}.getInstance({color:#000000}TrustManagerFactory{color}.getDefaultAlgorithm());
{color:#000000}tmf{color}.init(({color:#000000}KeyStore{color})
{color:#0033b3}null{color});
{color:#000000}TrustManager{color}[]
{color:#000000}trustManagersWithHostnameVerification {color}=
{color:#000000}Arrays{color}.stream({color:#000000}tmf{color}.getTrustManagers()).map(tm
-> {
{color:#0033b3}if {color}(tm {color:#0033b3}instanceof
{color}{color:#000000}X509ExtendedTrustManager{color}) {
{color:#0033b3}return new
{color}{color:#000000}X509ExtendedTrustManager{color}() {
{color:#0033b3}private final {color}{color:#000000}X509ExtendedTrustManager
{color}{color:#871094}trustManager {color}=
({color:#000000}X509ExtendedTrustManager{color}) {color:#851691}tm{color};
{color:#8c8c8c}// Use apache http client hostname verifier
{color} {color:#0033b3}private final
{color}{color:#000000}DefaultHostnameVerifier
{color}{color:#871094}hostnameVerifier {color}= {color:#0033b3}new
{color}DefaultHostnameVerifier();
{color:#0033b3}private final {color}{color:#000000}String
{color}{color:#871094}ldapHostname {color}= {color:#851691}hostname{color};
{color:#9e880d}@Override
{color} {color:#0033b3}public void
{color}{color:#00627a}checkClientTrusted{color}({color:#000000}X509Certificate{color}[]
chain, {color:#000000}String {color}authType, {color:#000000}Socket
{color}socket) {color:#0033b3}throws {color}{color:#000000}CertificateException
{color}{
{color:#871094}trustManager{color}.checkClientTrusted(chain, authType, socket);
}
{color:#9e880d}@Override
{color} {color:#0033b3}public void
{color}{color:#00627a}checkServerTrusted{color}({color:#000000}X509Certificate{color}[]
chain, {color:#000000}String {color}authType, {color:#000000}Socket
{color}socket) {color:#0033b3}throws {color}{color:#000000}CertificateException
{color}{
{color:#871094}trustManager{color}.checkServerTrusted(chain, authType, socket);
}
{color:#9e880d}@Override
{color} {color:#0033b3}public void
{color}{color:#00627a}checkClientTrusted{color}({color:#000000}X509Certificate{color}[]
chain, {color:#000000}String {color}authType, {color:#000000}SSLEngine
{color}engine) {color:#0033b3}throws {color}{color:#000000}CertificateException
{color}{
{color:#871094}trustManager{color}.checkClientTrusted(chain, authType, engine);
}
{color:#9e880d}@Override
{color} {color:#0033b3}public void
{color}{color:#00627a}checkServerTrusted{color}({color:#000000}X509Certificate{color}[]
chain, {color:#000000}String {color}authType, {color:#000000}SSLEngine
{color}engine) {color:#0033b3}throws {color}{color:#000000}CertificateException
{color}{
{color:#871094}trustManager{color}.checkServerTrusted(chain, authType, engine);
{color:#0033b3}try {color}{
{color:#871094}hostnameVerifier{color}.verify({color:#871094}ldapHostname{color},
chain[{color:#1750eb}0{color}]);
} {color:#0033b3}catch {color}({color:#000000}SSLException {color}e) {
{color:#0033b3}throw new {color}CertificateException(e.getMessage(), e);
}
}
{color:#9e880d}@Override
{color} {color:#0033b3}public void
{color}{color:#00627a}checkClientTrusted{color}({color:#000000}X509Certificate{color}[]
chain, {color:#000000}String {color}authType) {color:#0033b3}throws
{color}{color:#000000}CertificateException {color}{
{color:#871094}trustManager{color}.checkClientTrusted(chain, authType);
}
{color:#9e880d}@Override
{color} {color:#0033b3}public void
{color}{color:#00627a}checkServerTrusted{color}({color:#000000}X509Certificate{color}[]
chain, {color:#000000}String {color}authType) {color:#0033b3}throws
{color}{color:#000000}CertificateException {color}{
{color:#871094}trustManager{color}.checkServerTrusted(chain, authType);
}
{color:#9e880d}@Override
{color} {color:#0033b3}public {color}{color:#000000}X509Certificate{color}[]
{color:#00627a}getAcceptedIssuers{color}() {
{color:#0033b3}return
{color}{color:#871094}trustManager{color}.getAcceptedIssuers();
}
};
}
{color:#0033b3}return {color}tm;
}).toArray({color:#000000}TrustManager{color}[]::{color:#0033b3}new{color});
{color:#000000}config{color}.setTrustManagers({color:#000000}trustManagersWithHostnameVerification{color});
> API does not allow StartTLS hostname verification
> -------------------------------------------------
>
> Key: DIRAPI-69
> URL: https://issues.apache.org/jira/browse/DIRAPI-69
> Project: Directory Client API
> Issue Type: Improvement
> Affects Versions: 1.0.0-M9
> Reporter: Daniel Fisher
> Assignee: Pierre-Arnaud Marcelot
> Priority: Major
> Fix For: 3.0.0
>
>
> The current API does not have any features for controlling hostname
> verification. In addition, it appears that *no* hostname verification occurs
> by default. See RFC 2830 section 3.6
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
