RFR: 8259707: LDAP channel binding does not work with StartTLS extension
Daniel Fuchs
dfuchs at openjdk.java.net
Wed Jan 20 16:01:00 UTC 2021
On Wed, 20 Jan 2021 15:34:24 GMT, Alexey Bakhtin <abakhtin at openjdk.org> wrote:
> New ChannelBinding Data will be recreated for every TLS connection and provided to SASL Client in the new environment properties set (cloned from the original).
> LdapSasl.java lines 133 - 136:
>
> ```
> TlsChannelBinding tlsCB =
> TlsChannelBinding.create(cert);
> envProps = (Hashtable<String, Object>) env.clone();
Hi Alexey,
Aleksei and I have concern because this code uses a `cert` that is obtained from a CompletableFuture, and the completable future can be completed only once. The second time around - you will therefore find the same `cert` that was set when the first StartTLSResponse was negotiated. This may - or may not matter - depending on whether the `cert` certificate returned by the server the second time around should be the same - or not.
Could you test this scenario?
It may be that it's a niche scenario that makes no sense or that we don't want to support - I'm not sure how STARTTLS is used in the wild. Do you have any insights on this?
best regards,
-- daniel
-------------
PR: https://git.openjdk.java.net/jdk/pull/2085
More information about the core-libs-dev
mailing list