Natan Abolafya created DIRAPI-301:
-------------------------------------
Summary: Ldaps connection trusts all certificates
Key: DIRAPI-301
URL: https://issues.apache.org/jira/browse/DIRAPI-301
Project: Directory Client API
Issue Type: Bug
Affects Versions: 1.0.0-RC3
Environment: Windows 10 & Ubuntu 14.04
Reporter: Natan Abolafya
Thankfully we had an integration test for this, otherwise this is a major
security issue.
This was working as expected on 1.0.0-RC2 but as soon as I bumped to 1.0.0, the
test started failing. "Affects version" says there is no 1.0.0 btw, but Maven
disagrees.
I don't know about the raw APIs but this happens when `LdapConnectionTemplate`
is used. Thankfully I was able to work around it by assigning Java's default
TrustManager.
LdapConnectionConfig config = new LdapConnectionConfig();
....
TrustManagerFactory tmf =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init((KeyStore) null);
config.setTrustManagers(tmf.getTrustManagers());
...
DefaultLdapConnectionFactory connectionFactory = new
DefaultLdapConnectionFactory(config);
return new LdapConnectionTemplate(new LdapConnectionPool(new
ValidatingPoolableLdapConnectionFactory(connectionFactory))));
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
