Update the LDAP connection handler so that it only attempts to verify the key
manager provider and trust manager provider values if either SSL or StartTLS is
enabled. Previously, if a key/trust manager provider value was provided, then
the server would require it to refer to a valid enabled key/trust manager
provider, even if it wouldn't be used. Also, add a new check to ensure that if
SSL or StartTLS is enabled, then a valid key manager provider and trust manager
provider must have been configured for that connection handler.
OpenDS Issue Number: 1294
| | |
|---|
| | | |
|---|
| | | |
|---|
| | | /** |
|---|
| | | * The message ID for the message that will be used if either SSL or StartTLS |
|---|
| | | * support is enabled but no key manager provider is configured for the |
|---|
| | | * connection handler. This takes a single argument, which is the DN of the |
|---|
| | | * connection handler configuration entry. |
|---|
| | | */ |
|---|
| | | public static final int MSGID_LDAP_CONNHANDLER_NO_KEYMANAGER_DN = |
|---|
| | | CATEGORY_MASK_PROTOCOL | SEVERITY_MASK_SEVERE_ERROR | 402; |
|---|
| | | |
|---|
| | | |
|---|
| | | |
|---|
| | | /** |
|---|
| | | * The message ID for the message that will be used if either SSL or StartTLS |
|---|
| | | * support is enabled but no trust manager provider is configured for the |
|---|
| | | * connection handler. This takes a single argument, which is the DN of the |
|---|
| | | * connection handler configuration entry. |
|---|
| | | */ |
|---|
| | | public static final int MSGID_LDAP_CONNHANDLER_NO_TRUSTMANAGER_DN = |
|---|
| | | CATEGORY_MASK_PROTOCOL | SEVERITY_MASK_SEVERE_ERROR | 403; |
|---|
| | | |
|---|
| | | |
|---|
| | | |
|---|
| | | /** |
|---|
| | | * Associates a set of generic messages with the message IDs defined in this |
|---|
| | | * class. |
|---|
| | | */ |
|---|
| | |
|---|
| | | "operation. These options may not be used at the same " + |
|---|
| | | "time, so clients will not be allowed to use the " + |
|---|
| | | "StartTLS operation."); |
|---|
| | | registerMessage(MSGID_LDAP_CONNHANDLER_NO_KEYMANAGER_DN, |
|---|
| | | "The LDAP connection handler defined in configuration " + |
|---|
| | | "entry %s is configured to use either SSL or StartTLS, " + |
|---|
| | | "but does not specify which key manager provider should " + |
|---|
| | | "be used."); |
|---|
| | | registerMessage(MSGID_LDAP_CONNHANDLER_NO_TRUSTMANAGER_DN, |
|---|
| | | "The LDAP connection handler defined in configuration " + |
|---|
| | | "entry %s is configured to use either SSL or StartTLS, " + |
|---|
| | | "but does not specify which trust manager provider " + |
|---|
| | | "should be used."); |
|---|
| | | registerMessage(MSGID_LDAP_CONNHANDLER_CANNOT_DETERMINE_ALLOW_STARTTLS, |
|---|
| | | "An unexpected error occurred while processing the " + |
|---|
| | | ATTR_ALLOW_STARTTLS + " attribute in configuration entry " + |
|---|
| | |
|---|
| | | ErrorLogSeverity.SEVERE_WARNING, message, msgID); |
|---|
| | | } |
|---|
| | | |
|---|
| | | if (config.isAllowStartTLS() || config.isUseSSL()) |
|---|
| | | { |
|---|
| | | // Validate the key manager provider DN. |
|---|
| | | DN keyManagerProviderDN = config.getKeyManagerProviderDN(); |
|---|
| | | if (keyManagerProviderDN != null) { |
|---|
| | | if (keyManagerProviderDN == null) { |
|---|
| | | int msgID = MSGID_LDAP_CONNHANDLER_NO_KEYMANAGER_DN; |
|---|
| | | String message = getMessage(msgID, String.valueOf(config.dn())); |
|---|
| | | throw new ConfigException(msgID, message); |
|---|
| | | } else { |
|---|
| | | KeyManagerProvider provider = DirectoryServer |
|---|
| | | .getKeyManagerProvider(keyManagerProviderDN); |
|---|
| | | if (provider == null) { |
|---|
| | |
|---|
| | | |
|---|
| | | // Validate the trust manager provider DN. |
|---|
| | | DN trustManagerProviderDN = config.getTrustManagerProviderDN(); |
|---|
| | | if (trustManagerProviderDN != null) { |
|---|
| | | if (trustManagerProviderDN == null) { |
|---|
| | | int msgID = MSGID_LDAP_CONNHANDLER_NO_TRUSTMANAGER_DN; |
|---|
| | | String message = getMessage(msgID, String.valueOf(config.dn())); |
|---|
| | | throw new ConfigException(msgID, message); |
|---|
| | | } else { |
|---|
| | | TrustManagerProvider provider = DirectoryServer |
|---|
| | | .getTrustManagerProvider(trustManagerProviderDN); |
|---|
| | | if (provider == null) { |
|---|
| | |
|---|
| | | throw new ConfigException(msgID, message); |
|---|
| | | } |
|---|
| | | } |
|---|
| | | } |
|---|
| | | |
|---|
| | | // Open the selector. |
|---|
| | | try { |
|---|
| | |
|---|
| | | isAcceptable = false; |
|---|
| | | } |
|---|
| | | |
|---|
| | | if (config.isAllowStartTLS() || config.isUseSSL()) |
|---|
| | | { |
|---|
| | | // Validate the key manager provider DN. |
|---|
| | | DN keyManagerProviderDN = config.getKeyManagerProviderDN(); |
|---|
| | | if (keyManagerProviderDN != null) { |
|---|
| | | if (keyManagerProviderDN == null) { |
|---|
| | | int msgID = MSGID_LDAP_CONNHANDLER_NO_KEYMANAGER_DN; |
|---|
| | | String message = getMessage(msgID, String.valueOf(config.dn())); |
|---|
| | | unacceptableReasons.add(message); |
|---|
| | | isAcceptable = false; |
|---|
| | | } else { |
|---|
| | | KeyManagerProvider provider = DirectoryServer |
|---|
| | | .getKeyManagerProvider(keyManagerProviderDN); |
|---|
| | | if (provider == null) { |
|---|
| | |
|---|
| | | |
|---|
| | | // Validate the trust manager provider DN. |
|---|
| | | DN trustManagerProviderDN = config.getTrustManagerProviderDN(); |
|---|
| | | if (trustManagerProviderDN != null) { |
|---|
| | | if (trustManagerProviderDN == null) { |
|---|
| | | int msgID = MSGID_LDAP_CONNHANDLER_NO_TRUSTMANAGER_DN; |
|---|
| | | String message = getMessage(msgID, String.valueOf(config.dn())); |
|---|
| | | unacceptableReasons.add(message); |
|---|
| | | isAcceptable = false; |
|---|
| | | } else { |
|---|
| | | TrustManagerProvider provider = DirectoryServer |
|---|
| | | .getTrustManagerProvider(trustManagerProviderDN); |
|---|
| | | if (provider == null) { |
|---|
| | |
|---|
| | | isAcceptable = false; |
|---|
| | | } |
|---|
| | | } |
|---|
| | | } |
|---|
| | | |
|---|
| | | return isAcceptable; |
|---|
| | | } |
|---|
| | |
|---|
| | | "ds-cfg-allow-start-tls: false", |
|---|
| | | "ds-cfg-use-ssl: false", |
|---|
| | | "ds-cfg-ssl-client-auth-policy: optional", |
|---|
| | | "ds-cfg-ssl-cert-nickname: server-cert"); |
|---|
| | | "ds-cfg-ssl-cert-nickname: server-cert", |
|---|
| | | "ds-cfg-key-manager-provider-dn: cn=JKS,cn=Key Manager Providers,cn=config", |
|---|
| | | "ds-cfg-trust-manager-provider-dn: cn=JKS,cn=Trust Manager Providers,cn=config"); |
|---|
| | | LDAPConnectionHandler LDAPConnHandler=getLDAPHandlerInstance(LDAPHandlerEntry); |
|---|
| | | LDAPConnHandler.allowLDAPv2(); |
|---|
| | | LDAPConnHandler.allowStartTLS(); |
|---|
| | |
|---|
| | | "ds-cfg-allow-start-tls: false", |
|---|
| | | "ds-cfg-use-ssl: false", |
|---|
| | | "ds-cfg-ssl-client-auth-policy: optional", |
|---|
| | | "ds-cfg-ssl-cert-nickname: server-cert"); |
|---|
| | | "ds-cfg-ssl-cert-nickname: server-cert", |
|---|
| | | "ds-cfg-key-manager-provider-dn: cn=JKS,cn=Key Manager Providers,cn=config", |
|---|
| | | "ds-cfg-trust-manager-provider-dn: cn=JKS,cn=Trust Manager Providers,cn=config"); |
|---|
| | | |
|---|
| | | // Add some invalid attrs and some duplicate attrs |
|---|
| | | Attribute a2=new Attribute(ATTR_LISTEN_PORT, String.valueOf(389)); |
|---|
| | |
|---|
| | | "ds-cfg-allow-start-tls: false", |
|---|
| | | "ds-cfg-use-ssl: true", |
|---|
| | | "ds-cfg-ssl-client-auth-policy: optional", |
|---|
| | | "ds-cfg-ssl-cert-nickname: server-cert"); |
|---|
| | | "ds-cfg-ssl-cert-nickname: server-cert", |
|---|
| | | "ds-cfg-key-manager-provider-dn: cn=JKS,cn=Key Manager Providers,cn=config", |
|---|
| | | "ds-cfg-trust-manager-provider-dn: cn=JKS,cn=Trust Manager Providers,cn=config"); |
|---|
| | | LDAPConnectionHandler LDAPConnHandler=getLDAPHandlerInstance(GoodHandlerEntry); |
|---|
| | | //Make attrTypes to remove |
|---|
| | | AttributeType at0=DirectoryServer.getAttributeType(ATTR_LISTEN_PORT, true); |
|---|
