Hi,
On 06/08/2025 09:49, Abhinav _ wrote:
Hi, I need to ask a couple of things here.
1.
Is there any apacheds image version which support TLS1.3 version fully.
Not yet. Working on it.
2.
Has apacheds mina 2.2.4 library has been adopted in any of apacheds docker image
No.
3.
The latest apacheds docker image contains a snapshot version. Can you please
check on this
We don't produce or release ApacheDS docker image (officially).
4.
Is there any way that we can adopt TLSv1.3 version in apacheds. Please tell us
how to adopt TLSv1.3 changes in apacheds
It depends on MINA which has some issue with the latest version.
We are working on it.
Thanks and regards,
Abhinav
________________________________
From: Zelmer, Jan <jan.zel...@commerzbank.com.INVALID>
Sent: Monday, June 30, 2025 9:45 PM
To: 'Emmanuel Lecharny' <elecha...@gmail.com>
Cc: 'dev@directory.apache.org' <dev@directory.apache.org>
Subject: RE: DIRAPI-423
[You don't often get email from jan.zel...@commerzbank.com.invalid. Learn why
this is important at https://aka.ms/LearnAboutSenderIdentification ]
CAUTION: This email is from an external source. Please don’t open any unknown
links or attachments.
Hi Emmanuel,
Okay, I should have looked at the Mina 1186 earlier.
Any pointers on how to reproduce? Running an Apache DS Server and upload some
images via a LDAPS secured connection?
This is what AI (Github CoPilot) told me, that TLS message over 16k are split
by the TLS implementation, but if we would send something in between or the
package order is odd, because there are different TLS packages in it, then we
would get Tag mismatch.
Unfortunately my company does not want me to invest time into this, so I will
switch it to my hobby project - but this still is incredibly interesting to me.
Next thing I will do: install Apache DS Server on my private machine, write a
client to upload large chunks and see what WireShark tells me.
Kind,
Jan
-----Original Message-----
From: Emmanuel Lecharny <elecha...@gmail.com>
Sent: Tuesday, June 17, 2025 3:51 PM
To: Zelmer, Jan <jan.zel...@commerzbank.com>
Cc: 'dev@directory.apache.org' <dev@directory.apache.org>
Subject: Re: DIRAPI-423
[You don't often get email from elecha...@gmail.com. Learn why this is
important at https://aka.ms/LearnAboutSenderIdentification ]
Hi Jan,
long story short, after a while messages get borked, and the SslEngine breaks, so we must
certainly have an issue in the way we deal with incoming and outgoing messages in the latest
implementation (see
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fprojects%2FDIRMINA%2Fissues%2FDIRMINA-1186%3Ffilter%3Dallopenissues&data=05%7C02%7CAbhinav.1%40amdocs.com%7Ca5f1fb654fa0448f45be08ddb7f15120%7Cc8eca3ca127646d59d9da0f2a028920f%7C0%7C0%7C638868969280297738%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=RHHLw%2BQcYXwM%2FvXweeJwqFZcFKhk6lDscYqhxl9cP10%3D&reserved=0)<https://issues.apache.org/jira/projects/DIRMINA/issues/DIRMINA-1186?filter=allopenissues>.
There are also things I don't like in the current MINA 2.2.4, for instance the
handling of tasks, and also a recursive loop that can most certainly avoided.
I'm not in front of the code right now (day job...) but I will try to
ellaborate later.
Thanks for your interest!
On 16/06/2025 11:39, Zelmer, Jan wrote:
Hi Emmanuel,
I tried to understand what the (actual) problem is, but I can't find it.
I cloned Mina 2.2.4, compiled it and made a little scratchpad to test it (with
the help of the TimeServer example), and though I don't have telnet, but
OpenSSL s_client works as well; And I could find that it works with TLS 1.3.
Then I used
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Fmina%2Fcompare%2F2.2.3...2.2.4&data=05%7C02%7CAbhinav.1%40amdocs.com%7Ca5f1fb654fa0448f45be08ddb7f15120%7Cc8eca3ca127646d59d9da0f2a028920f%7C0%7C0%7C638868969280325781%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=3H8MYWUNQ%2FgQseRYxxFM1lvQW8z4Byj5Y0sbnjcvT4U%3D&reserved=0<https://github.com/apache/mina/compare/2.2.3...2.2.4>
to the find the differences in the SSLFilter and Handler, but besides adding a nonblocking
operation, nothing Much has changed.
What I am going to do next, is using Mina 2.2.4 in the latest LDAP Api
(locally) and try to connect to one of our dev LDAP server, and see what the
SSL Debug log is giving me.
The only thing I found interesting was, that Java 8 JVMs does not contain
Security Provider which supports TLS 1.3 and I did need to use a newer Java to
get a secure connection established.
What is about the switch from execute_task to schedule_task ? So, until the SSL
Filter the requst is blocking and synchronous, and after it gets asynchronous?
Should I run my local tests with possible Race conditions in mind? I would
thought that every request gets its own thread.
Bottomline: I took a longer look into it, but would appreciate if you could
specify more detailed what the problem is and or how I can reproduce it.
Thank you,
Jan
PS: Is it fine to use the LDAP distribution list instead of the Mina one?
-----Original Message-----
From: Emmanuel Lecharny <elecha...@gmail.com>
Sent: Tuesday, June 10, 2025 10:04 AM
To: Zelmer, Jan <jan.zel...@commerzbank.com>;
'dev@directory.apache.org' <dev@directory.apache.org>
Subject: Re: DIRAPI-423
[You don't often get email from elecha...@gmail.com. Learn why this is
important at https://aka.ms/LearnAboutSenderIdentification ]
Hi Jan,
bottom line, we had a big change in the way we deal with TLS in MINA 2.2.4,
which breaks.
At this point, I have very little time to analyse the issue we have, but enough
said that rolling back to MINA 2.2.3 is problematic because it does not support
TLS 1.3 properly.
Here, our options are limited:
- either we find some time to fix the MINA 2.2.4 issue (which probably
means a complete rewrite of the SSLFilter/SSLHandler parts)
- or we add a Netty layer
At this point, I think the second option is probably the right thing
to
do: first it's going to work, second we will let the API user chose their
network implementation.
Adding a Netty layer comes with some costs: the logic is pretty different,
especially when it comes to encoder/decoder, but it's likely to be the fastest
path.
Thanks for your interest, feel free to contact me if you need more information.
On 06/06/2025 12:20, Zelmer, Jan wrote:
Dear Sir and Madams,
I was wondering what the big issue with TLS in 2.2.4 is and if I could help.
Some context: we are using the LDAP client API for some of our projects and
Sonar found a serious CVE in the current mina library.
Would you mind forwarding me the email thread discussing this or any other
information, so I can have a look myself?
(I operated a certificate authority for 5 years and maintained
associated java applications, including debugging mutual ssl
connections)
Kind Regards,
Jan Zelmer
Commerzbank AG
DLZ2, Mainzer Landstrasse 153, 60327 Frankfurt am Main
Phone +49 69 136 270 03
Mobile +49 160 145 245 0
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org
For additional commands, e-mail: dev-h...@directory.apache.org
This email and the information contained herein is proprietary and confidential and
subject to the Amdocs Email Terms of Service, which you may review at
https://www.amdocs.com/about/email-terms-of-service
<https://www.amdocs.com/about/email-terms-of-service>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org
For additional commands, e-mail: dev-h...@directory.apache.org