[
https://issues.apache.org/jira/browse/OAK-9442?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Angela Schreiber resolved OAK-9442.
-----------------------------------
Fix Version/s: 1.40.0
Resolution: Fixed
Committed revision 1890220.
> LDAPIdentityProvider: avoid usage of week SSL/TLS protocol
> ----------------------------------------------------------
>
> Key: OAK-9442
> URL: https://issues.apache.org/jira/browse/OAK-9442
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: auth-ldap
> Reporter: Angela Schreiber
> Priority: Major
> Fix For: 1.40.0
>
> Attachments: OAK-9442.patch
>
>
> sonar issues a warning regarding usage of week SSL/TLS protocols the
> following code in {{LDAPIdentityProvider}}:
> {code}
> // make sure the JVM supports the TLSv1.1
> try {
> enabledSSLProtocols = null;
> SSLContext.getInstance("TLSv1.1");
> } catch (NoSuchAlgorithmException e) {
> log.warn("JDK does not support TLSv1.1. Disabling it.");
> enabledSSLProtocols = new String[]{"TLSv1"};
> }
> {code}
> This code has been introduced with OAK-2951 (Regression: SSL errors with
> latest ldap client). My preference for addressing this would be to drop the
> try/catch altogether and replace with an optional configuration option that
> allows to explicitly defined protocols to be enabled on the
> {{LDAPConnectionConfiguration}}.
> The downside of this approach: current usage of the oak-auth-ldap that relied
> on having an automatic fallback to TLSv1 installed would no longer work.
> However, I am not sure how big that risk is, given that TLSv1.2 is required
> to be supported since java 9
> (https://docs.oracle.com/javase/9/docs/api/javax/net/ssl/SSLContext.html)
> [~chaotic], [~insuafer], what do you think?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
