> Can I please get a review of this change which proposes to address the issue > noted in https://bugs.openjdk.org/browse/JDK-8261289? > > The JDK's implementation of the `LdapContext` allows for the LDAPv3 Extended > Response for StartTLS. `LdapContext.extendedOperation(new StartTlsRequest())` > can be invoked by an application to obtain a `StartTlsResponse` which can > then be used to `StartTlsResponse.negotiate()` a TLS session. A successful > TLS negotiation will result in the underlying LDAP connection's input/output > streams being switched to TLS specific streams. Any subsequent communication > over the LDAP context will happen over these TLS streams, until the > `StartTlsResponse.close()` is called. > > One part of TLS negotiation involves certificate verification. In the JDK's > implementation of `StartTlsResponse`, if the certificate verification fails > (for whatever reason) after the LDAP connection's streams have been switched > to TLS specific streams, then these streams must be switched back to the > original streams that were present before the TLS negotiation was attempted. > However, due to a bug, this currently doesn't happen and after a failed TLS > negotiation, subsequent communication over the LDAP connection (which is > allowed) continues to use these TLS streams. > > The commit in this PR addresses that issue in the implementation of > `StartTlsResponse`. Minor related clean up is done to that implementation to > properly handle exceptions. A new jtreg test has been introduced to reproduce > the issue and verify the fix. > > tier1, tier2, tier3 tests continue to pass with this change.
Jaikiran Pai has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains three additional commits since the last revision: - merge latest from master branch - merge latest from master branch - 8261289: incorrect cleanup in LDAP TLS handling ------------- Changes: - all: https://git.openjdk.org/jdk/pull/30547/files - new: https://git.openjdk.org/jdk/pull/30547/files/07312ad8..bb27a3bc Webrevs: - full: https://webrevs.openjdk.org/?repo=jdk&pr=30547&range=01 - incr: https://webrevs.openjdk.org/?repo=jdk&pr=30547&range=00-01 Stats: 14419 lines in 303 files changed: 11166 ins; 1556 del; 1697 mod Patch: https://git.openjdk.org/jdk/pull/30547.diff Fetch: git fetch https://git.openjdk.org/jdk.git pull/30547/head:pull/30547 PR: https://git.openjdk.org/jdk/pull/30547
