Natan Abolafya created DIRAPI-301: ------------------------------------- Summary: Ldaps connection trusts all certificates Key: DIRAPI-301 URL: https://issues.apache.org/jira/browse/DIRAPI-301 Project: Directory Client API Issue Type: Bug Affects Versions: 1.0.0-RC3 Environment: Windows 10 & Ubuntu 14.04 Reporter: Natan Abolafya
Thankfully we had an integration test for this, otherwise this is a major security issue. This was working as expected on 1.0.0-RC2 but as soon as I bumped to 1.0.0, the test started failing. "Affects version" says there is no 1.0.0 btw, but Maven disagrees. I don't know about the raw APIs but this happens when `LdapConnectionTemplate` is used. Thankfully I was able to work around it by assigning Java's default TrustManager. LdapConnectionConfig config = new LdapConnectionConfig(); .... TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); tmf.init((KeyStore) null); config.setTrustManagers(tmf.getTrustManagers()); ... DefaultLdapConnectionFactory connectionFactory = new DefaultLdapConnectionFactory(config); return new LdapConnectionTemplate(new LdapConnectionPool(new ValidatingPoolableLdapConnectionFactory(connectionFactory)))); -- This message was sent by Atlassian JIRA (v6.4.14#64029)