LDAP/TLS regression in 8u272

Andrew Hughes gnu.andrew at redhat.com
Fri Oct 30 20:09:08 UTC 2020


On 14:42 Fri 30 Oct     , Severin Gehwolf wrote:
> Hi,
> 
> Thanks again for the report!
> 
> On Fri, 2020-10-30 at 14:18 +0100, Thorsten Meinl wrote:
> > Hi,
> > 
> > > It might be. Does it work with JDK 11? Would you have a reproducer for
> > > this issue?
> > We have other services using LDAP with TLS that run on Java 11 (JFrog 
> > Artifactory - Java 11.0.7, Sonarqube - Java 11.0.8) which don't have that 
> > problem.
> 
> That makes sense. JDK-8214440 is in 11.0.8 and onwards.
> 
> > For reproducing you need an LDAP server configured with TLS and a Tomcat 
> > installation. Configure Tomcat with the LDAP server as authentication realm, 
> > e.g.
> > 
> > <Realm className="org.apache.catalina.realm.JNDIRealm"
> >         connectionURL="ldap://ldap:389"
> >         useStartTls="true"
> >         userBase = "ou=people, dc=knime, dc=com"
> >         userSearch = "(cn={0})"
> >         roleBase="ou=groups,dc=knime,dc=com"
> >         roleName="cn"
> >         roleSearch="(member={0})"
> > />
> > 
> > I also found 
> > 
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972962
> > 
> > and
> > 
> > https://bugs.openjdk.java.net/browse/JDK-8214440
> > 
> > which looks like exactly the same issue. The latter was supposed to be 
> > backported to 8u261.
> 
> JDK-8214440 is in Oracle JDK 8u261, but not in any OpenJDK 8u yet. I'll
> see to get it included in an upcoming OpenJDK 8u release.
> 
> > 8u265 didn't have that issue but 8u272 does. Maybe the 
> > backport got lost?
> 
> It was never there. It's a possibility that the changed TLS stack in
> OpenJDK 8u272 caused this issue to surface now.
> 
> Thanks,
> Severin
> 

Thanks. I've approved it and will make sure it gets in 8u282-b01.

The TLSv1.3 stack was added in the 8u272 release of OpenJDK, but without
referencing most of the bugs it resolves. There is, as a result, still
a large number of bugs marked as fixed in Oracle's 8u261 (where TLSv1.3
went in for them) and 8u271 that are either fixed by the OpenJDK 8u
backport or (if from 11.0.8 or 11.0.9) still pending. This is the third
I've come across in the last few days.

I'll try and triage through them to catch what's left.
-- 
Andrew :)

Senior Free Java Software Engineer
OpenJDK Package Owner
Red Hat, Inc. (http://www.redhat.com)

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222


More information about the jdk8u-dev mailing list