Hi Emmanuel, I tried to understand what the (actual) problem is, but I can't find it.
I cloned Mina 2.2.4, compiled it and made a little scratchpad to test it (with the help of the TimeServer example), and though I don't have telnet, but OpenSSL s_client works as well; And I could find that it works with TLS 1.3. Then I used https://github.com/apache/mina/compare/2.2.3...2.2.4 to the find the differences in the SSLFilter and Handler, but besides adding a nonblocking operation, nothing Much has changed. What I am going to do next, is using Mina 2.2.4 in the latest LDAP Api (locally) and try to connect to one of our dev LDAP server, and see what the SSL Debug log is giving me. The only thing I found interesting was, that Java 8 JVMs does not contain Security Provider which supports TLS 1.3 and I did need to use a newer Java to get a secure connection established. What is about the switch from execute_task to schedule_task ? So, until the SSL Filter the requst is blocking and synchronous, and after it gets asynchronous? Should I run my local tests with possible Race conditions in mind? I would thought that every request gets its own thread. Bottomline: I took a longer look into it, but would appreciate if you could specify more detailed what the problem is and or how I can reproduce it. Thank you, Jan PS: Is it fine to use the LDAP distribution list instead of the Mina one? -----Original Message----- From: Emmanuel Lecharny <elecha...@gmail.com> Sent: Tuesday, June 10, 2025 10:04 AM To: Zelmer, Jan <jan.zel...@commerzbank.com>; 'dev@directory.apache.org' <dev@directory.apache.org> Subject: Re: DIRAPI-423 [You don't often get email from elecha...@gmail.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] Hi Jan, bottom line, we had a big change in the way we deal with TLS in MINA 2.2.4, which breaks. At this point, I have very little time to analyse the issue we have, but enough said that rolling back to MINA 2.2.3 is problematic because it does not support TLS 1.3 properly. Here, our options are limited: - either we find some time to fix the MINA 2.2.4 issue (which probably means a complete rewrite of the SSLFilter/SSLHandler parts) - or we add a Netty layer At this point, I think the second option is probably the right thing to do: first it's going to work, second we will let the API user chose their network implementation. Adding a Netty layer comes with some costs: the logic is pretty different, especially when it comes to encoder/decoder, but it's likely to be the fastest path. Thanks for your interest, feel free to contact me if you need more information. On 06/06/2025 12:20, Zelmer, Jan wrote: > Dear Sir and Madams, > > I was wondering what the big issue with TLS in 2.2.4 is and if I could help. > > Some context: we are using the LDAP client API for some of our projects and > Sonar found a serious CVE in the current mina library. > > Would you mind forwarding me the email thread discussing this or any other > information, so I can have a look myself? > (I operated a certificate authority for 5 years and maintained > associated java applications, including debugging mutual ssl > connections) > > Kind Regards, > Jan Zelmer > > Commerzbank AG > > DLZ2, Mainzer Landstrasse 153, 60327 Frankfurt am Main > Phone +49 69 136 270 03 > Mobile +49 160 145 245 0 > >
