LDAP/TLS regression in 8u272

Severin Gehwolf sgehwolf at redhat.com
Fri Oct 30 13:42:38 UTC 2020


Hi,

Thanks again for the report!

On Fri, 2020-10-30 at 14:18 +0100, Thorsten Meinl wrote:
> Hi,
> 
> > It might be. Does it work with JDK 11? Would you have a reproducer for
> > this issue?
> We have other services using LDAP with TLS that run on Java 11 (JFrog 
> Artifactory - Java 11.0.7, Sonarqube - Java 11.0.8) which don't have that 
> problem.

That makes sense. JDK-8214440 is in 11.0.8 and onwards.

> For reproducing you need an LDAP server configured with TLS and a Tomcat 
> installation. Configure Tomcat with the LDAP server as authentication realm, 
> e.g.
> 
> <Realm className="org.apache.catalina.realm.JNDIRealm"
>         connectionURL="ldap://ldap:389"
>         useStartTls="true"
>         userBase = "ou=people, dc=knime, dc=com"
>         userSearch = "(cn={0})"
>         roleBase="ou=groups,dc=knime,dc=com"
>         roleName="cn"
>         roleSearch="(member={0})"
> />
> 
> I also found 
> 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972962
> 
> and
> 
> https://bugs.openjdk.java.net/browse/JDK-8214440
> 
> which looks like exactly the same issue. The latter was supposed to be 
> backported to 8u261.

JDK-8214440 is in Oracle JDK 8u261, but not in any OpenJDK 8u yet. I'll
see to get it included in an upcoming OpenJDK 8u release.

> 8u265 didn't have that issue but 8u272 does. Maybe the 
> backport got lost?

It was never there. It's a possibility that the changed TLS stack in
OpenJDK 8u272 caused this issue to surface now.

Thanks,
Severin



More information about the jdk8u-dev mailing list