On Thu, 2 Apr 2026 05:43:47 GMT, Jaikiran Pai <[email protected]> wrote:
> Can I please get a review of this change which proposes to address the issue > noted in https://bugs.openjdk.org/browse/JDK-8261289? > > The JDK's implementation of the `LdapContext` allows for the LDAPv3 Extended > Response for StartTLS. `LdapContext.extendedOperation(new StartTlsRequest())` > can be invoked by an application to obtain a `StartTlsResponse` which can > then be used to `StartTlsResponse.negotiate()` a TLS session. A successful > TLS negotiation will result in the underlying LDAP connection's input/output > streams being switched to TLS specific streams. Any subsequent communication > over the LDAP context will happen over these TLS streams, until the > `StartTlsResponse.close()` is called. > > One part of TLS negotiation involves certificate verification. In the JDK's > implementation of `StartTlsResponse`, if the certificate verification fails > (for whatever reason) after the LDAP connection's streams have been switched > to TLS specific streams, then these streams must be switched back to the > original streams that were present before the TLS negotiation was attempted. > However, due to a bug, this currently doesn't happen and after a failed TLS > negotiation, subsequent communication over the LDAP connection (which is > allowed) continues to use these TLS streams. > > The commit in this PR addresses that issue in the implementation of > `StartTlsResponse`. Minor related clean up is done to that implementation to > properly handle exceptions. A new jtreg test has been introduced to reproduce > the issue and verify the fix. > > tier1, tier2, tier3 tests continue to pass with this change. > > --------- > - [x] I confirm that I make this contribution in accordance with the [OpenJDK > Interim AI Policy](https://openjdk.org/legal/ai). This pull request has now been integrated. Changeset: 14a7f920 Author: Jaikiran Pai <[email protected]> URL: https://git.openjdk.org/jdk/commit/14a7f920d6251631d68b57d89ad8ac93f0208edb Stats: 488 lines in 2 files changed: 440 ins; 31 del; 17 mod 8261289: Incorrect cleanup in LDAP TLS handling Reviewed-by: aefimov ------------- PR: https://git.openjdk.org/jdk/pull/30547
