RFR: 8259707: LDAP channel binding does not work with StartTLS extension
Aleksei Efimov
aefimov at openjdk.java.net
Wed Jan 20 15:11:51 UTC 2021
On Wed, 20 Jan 2021 14:41:26 GMT, Daniel Fuchs <dfuchs at openjdk.org> wrote:
>> Please review a small patch to enable LDAP TLS Channel Binding with StartTLS Extension.
>> Test from the bug report and jtreg javax/naming tests are passed.
>
> That look reasonable to me. But what would happen if at some point after performing some LDAP operations, you called StartTLSResponse::close and then after some more time you tried to again create a StartTLSRequest on the same context? Would that work - or would you be using a possibly obsolete channel binding obtained from the first upgrade?
The change looks valid to me too.
I believe Daniel question could be illustrated with the following change to `CBwithTLS` reproducer attached to the bug report:
--- CBwithTLS_Original.java 2021-01-20 14:56:09.620844903 +0000
+++ CBwithTLS.java 2021-01-20 15:01:47.253982227 +0000
@@ -45,7 +45,7 @@
System.out.println(ctxt.getAttributes("", new String[]{"defaultNamingContext"}).get("defaultNamingContext").get());
// Switch to TLS
-
+ for (int i=0; i<2; i++) {
StartTlsResponse tls = (StartTlsResponse) ctxt.extendedOperation(new StartTlsRequest());
tls.negotiate();
@@ -64,6 +64,9 @@
lc.login();
Subject.doAs(lc.getSubject(), (PrivilegedAction<Void>) CBwithTLS::run);
+ lc.logout();
+ tls.close();
+ }
}
private static Void run() {
-------------
PR: https://git.openjdk.java.net/jdk/pull/2085
More information about the core-libs-dev
mailing list