LDAP/TLS regression in 8u272
Severin Gehwolf
sgehwolf at redhat.com
Fri Oct 30 13:42:38 UTC 2020
Hi,
Thanks again for the report!
On Fri, 2020-10-30 at 14:18 +0100, Thorsten Meinl wrote:
> Hi,
>
> > It might be. Does it work with JDK 11? Would you have a reproducer for
> > this issue?
> We have other services using LDAP with TLS that run on Java 11 (JFrog
> Artifactory - Java 11.0.7, Sonarqube - Java 11.0.8) which don't have that
> problem.
That makes sense. JDK-8214440 is in 11.0.8 and onwards.
> For reproducing you need an LDAP server configured with TLS and a Tomcat
> installation. Configure Tomcat with the LDAP server as authentication realm,
> e.g.
>
> <Realm className="org.apache.catalina.realm.JNDIRealm"
> connectionURL="ldap://ldap:389"
> useStartTls="true"
> userBase = "ou=people, dc=knime, dc=com"
> userSearch = "(cn={0})"
> roleBase="ou=groups,dc=knime,dc=com"
> roleName="cn"
> roleSearch="(member={0})"
> />
>
> I also found
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972962
>
> and
>
> https://bugs.openjdk.java.net/browse/JDK-8214440
>
> which looks like exactly the same issue. The latter was supposed to be
> backported to 8u261.
JDK-8214440 is in Oracle JDK 8u261, but not in any OpenJDK 8u yet. I'll
see to get it included in an upcoming OpenJDK 8u release.
> 8u265 didn't have that issue but 8u272 does. Maybe the
> backport got lost?
It was never there. It's a possibility that the changed TLS stack in
OpenJDK 8u272 caused this issue to surface now.
Thanks,
Severin
More information about the jdk8u-dev
mailing list