Nelson Bolyard wrote: > Rich Megginson wrote, On 2008-09-24 19:00: >> Nelson Bolyard wrote: >>> The Java LDAP SSL code in java-sdk/ldapjdk/netscape/ldap on the trunk >>> is very old, dating back to 2002, and bearing the tag LDAPJavaSDK_418. >>> >>> http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/directory/java-sdk/ldapjdk/netscape/ldap/factory/JSSSocketFactory.java&rev=1.3&mark=146#129 >>> >>> http://bonsai.mozilla.org/cvsgraph.cgi?file=mozilla/directory/java-sdk/ldapjdk/netscape/ldap/factory/JSSSocketFactory.java >>> >>> Is that the latest version? >> Yes. > >> That's the latest that I know of. I'm not aware of anything later. I >> think there might be a couple of patches in bugzilla that might have >> made it to HEAD. >> >>> Or are some vendors shipping private newer versions of it? >> Not that I know of. I think jpackage.org has 4.17 or 4.18, which are >> the versions included with various versions of Red Hat Enterprise Linux, >> Fedora, and some other linux distros. That's also the version we >> include with the Red Hat (ex-Netscape) server products. > > Thanks, Rich, > > The question to which I am ultimately trying to get is: > Does this Java LDAP SDK support SSL client authentication with client > certificates? > And my conclusion at this time is: no, it does not. > > I base that on these observations. > 1. There are exactly two ways to do SSL client authentication with > certificates using JSS. They are: > > a) Supplying a certApprovalCallback as an argument to the SSLSocket > constructor, which this SDK does not do, as seen at > http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/directory/java-sdk/ldapjdk/netscape/ldap/factory/JSSSocketFactory.java&rev=1.3&mark=146#129 > > b) Calling either of the following two methods on the SSLSocket object > before doing the handshake: > setClientCertNickname > setClientCert > Based on the content of this page: > http://mxr.mozilla.org/mozilla/search?string=setClientCert&find=ldapjdk > I conclude that the ldapjdk does not do that, either. > > So, based on the above observations, I conclude that this Java LDAP SDK > has no support for SSL client authentication with certificates. > > Rich, Do you concur with that conclusion?
The Cert System team suggests otherwise. They claim to be using ldapjdk/jss with client cert auth. As you probably know, the cert system is now open source. http://pki.fedoraproject.org/wiki/PKI_Main_Page Here is the file that implements ldap client cert auth: https://pki.fedoraproject.org/svn/pki/trunk/pki/base/common/src/com/netscape/cmscore/ldapconn/LdapJssSSLSocketFactory.java The other files that implement ldap connections are here - https://pki.fedoraproject.org/svn/pki/trunk/pki/base/common/src/com/netscape/cmscore/ldapconn/ _______________________________________________ dev-tech-ldap mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-ldap
