[ https://issues.apache.org/jira/browse/OAK-9442?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Angela Schreiber resolved OAK-9442. ----------------------------------- Fix Version/s: 1.40.0 Resolution: Fixed Committed revision 1890220. > LDAPIdentityProvider: avoid usage of week SSL/TLS protocol > ---------------------------------------------------------- > > Key: OAK-9442 > URL: https://issues.apache.org/jira/browse/OAK-9442 > Project: Jackrabbit Oak > Issue Type: Bug > Components: auth-ldap > Reporter: Angela Schreiber > Priority: Major > Fix For: 1.40.0 > > Attachments: OAK-9442.patch > > > sonar issues a warning regarding usage of week SSL/TLS protocols the > following code in {{LDAPIdentityProvider}}: > {code} > // make sure the JVM supports the TLSv1.1 > try { > enabledSSLProtocols = null; > SSLContext.getInstance("TLSv1.1"); > } catch (NoSuchAlgorithmException e) { > log.warn("JDK does not support TLSv1.1. Disabling it."); > enabledSSLProtocols = new String[]{"TLSv1"}; > } > {code} > This code has been introduced with OAK-2951 (Regression: SSL errors with > latest ldap client). My preference for addressing this would be to drop the > try/catch altogether and replace with an optional configuration option that > allows to explicitly defined protocols to be enabled on the > {{LDAPConnectionConfiguration}}. > The downside of this approach: current usage of the oak-auth-ldap that relied > on having an automatic fallback to TLSv1 installed would no longer work. > However, I am not sure how big that risk is, given that TLSv1.2 is required > to be supported since java 9 > (https://docs.oracle.com/javase/9/docs/api/javax/net/ssl/SSLContext.html) > [~chaotic], [~insuafer], what do you think? -- This message was sent by Atlassian Jira (v8.3.4#803005)