Unfortunately I have to use java 6 cause of an old system. Thanks for patching the code, unfortunately I have issues running Maven with Eclipse to generate a new build, did you generate a new jar or it's going to be released in the next sprint or release?
Karim -----Original Message----- From: Emmanuel Lécharny [mailto:[email protected]] Sent: Wednesday, March 25, 2015 11:54 AM To: [email protected] Subject: Re: Problem using TLS or SSL to establish a secure binding Le 25/03/15 09:49, Karim Hosny a écrit : > Same error, it ignores the setSslProtocol method completely and the > error message shows up for TLSv1.1 Ahhh, I know what's wrong. We define the list of supported protocols : // Be sure we disable SSLV3 sslFilter.setEnabledProtocols( new String[] { "TLSv1", "TLSv1.1", "TLSv1.2" } ); and this list is used to initialize the SslEngine. It's likely not to be accepted when running with Java 6... Any reason you have to run your code with Java 6, which is EOL since february 2013 ? TLSv1 is proven to be broken, and you should *never* use it, and as it's the highest supported protocol in Java 6, that would put your client in high risk... Anyway, I'm going to patch the API to allow users to define the list of protocols to use. Here is the patch if you want to apply it to the code base on your own : Index: ldap/client/api/src/main/java/org/apache/directory/ldap/client/api/LdapConnectionConfig.java =================================================================== --- ldap/client/api/src/main/java/org/apache/directory/ldap/client/api/LdapConnectionConfig.java (revision 1667210) +++ ldap/client/api/src/main/java/org/apache/directory/ldap/client/api/LdapConnectionConfig.java (working copy) @@ -99,6 +99,9 @@ /** an array of cipher suites which are enabled, if set, will be used while initializing the SSL context */ private String[] enabledCipherSuites; + /** an array of protocols which are enabled, if set, will be used while initializing the SSL context */ + private String[] enabledProtocols; + /** name of the protocol used for creating SSL context, default value is "TLS" */ private String sslProtocol = DEFAULT_SSL_PROTOCOL; @@ -452,6 +455,28 @@ /** + * Gets the protocols which are enabled. + * + * @return the protocol which are enabled + */ + public String[] getEnabledProtocols() + { + return enabledProtocols; + } + + + /** + * Sets the protocols which are enabled + * + * @param enabledProtocols the protocols which are enabled + */ + public void setEnabledProtocols( String... enabledProtocols ) + { + this.enabledProtocols = enabledProtocols; + } + + + /** * @return the binaryAttributeDetector */ public BinaryAttributeDetector getBinaryAttributeDetector() Index: ldap/client/api/src/main/java/org/apache/directory/ldap/client/api/LdapNetworkConnection.java =================================================================== --- ldap/client/api/src/main/java/org/apache/directory/ldap/client/api/LdapNetworkConnection.java (revision 1667210) +++ ldap/client/api/src/main/java/org/apache/directory/ldap/client/api/LdapNetworkConnection.java (working copy) @@ -3827,12 +3827,29 @@ SslFilter sslFilter = new SslFilter( sslContext, true ); sslFilter.setUseClientMode( true ); - sslFilter.setEnabledCipherSuites( config.getEnabledCipherSuites() ); + // Configure the enabled cipher lists + String[] enabledCipherSuite = + config.getEnabledCipherSuites(); + + if ( ( enabledCipherSuite != null ) && ( enabledCipherSuite.length != 0 ) ) + { + sslFilter.setEnabledCipherSuites( enabledCipherSuite ); + } + // Be sure we disable SSLV3 - sslFilter.setEnabledProtocols( new String[] - { "TLSv1", "TLSv1.1", "TLSv1.2" } ); + String[] enabledProtocols = config.getEnabledProtocols(); + if ( ( enabledProtocols != null ) && ( enabledProtocols.length != 0 ) ) + { + sslFilter.setEnabledProtocols( enabledProtocols ); + } + else + { + // Default to TLS + sslFilter.setEnabledProtocols( new String[] + { "TLSv1", "TLSv1.1", "TLSv1.2" } ); + } + // for LDAPS if ( ldapSession == null ) {
