From 0d31b80cec97ff9e6d9135a219ffa4e993eb5242 Mon Sep 17 00:00:00 2001
From: Chris Ridd <chris.ridd@forgerock.com>
Date: Wed, 07 Sep 2016 12:49:11 +0000
Subject: [PATCH] OPENDJ-3221 Set better default TLS protocols which can also be overridden
---
opendj-server-legacy/src/main/java/org/opends/admin/ads/util/ConnectionWrapper.java | 11 +++++++++--
1 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/opendj-server-legacy/src/main/java/org/opends/admin/ads/util/ConnectionWrapper.java b/opendj-server-legacy/src/main/java/org/opends/admin/ads/util/ConnectionWrapper.java
index ce9447c..12a1de1 100644
--- a/opendj-server-legacy/src/main/java/org/opends/admin/ads/util/ConnectionWrapper.java
+++ b/opendj-server-legacy/src/main/java/org/opends/admin/ads/util/ConnectionWrapper.java
@@ -25,12 +25,14 @@
import java.io.Closeable;
import java.security.GeneralSecurityException;
+import java.security.NoSuchAlgorithmException;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
+import com.forgerock.opendj.cli.ConnectionFactoryProvider;
import org.forgerock.opendj.config.LDAPProfile;
import org.forgerock.opendj.ldap.Connection;
import org.forgerock.opendj.ldap.DN;
@@ -149,8 +151,13 @@
.set(CONNECT_TIMEOUT, duration(connectTimeout, TimeUnit.MILLISECONDS));
if (isLdaps || isStartTls)
{
- options.set(SSL_CONTEXT, getSSLContext(trustManager, keyManager))
- .set(SSL_USE_STARTTLS, isStartTls);
+ try {
+ options.set(SSL_CONTEXT, getSSLContext(trustManager, keyManager))
+ .set(SSL_USE_STARTTLS, isStartTls)
+ .set(SSL_ENABLED_PROTOCOLS, ConnectionFactoryProvider.getDefaultProtocols());
+ } catch (NoSuchAlgorithmException e) {
+ throw newLdapException(CLIENT_SIDE_PARAM_ERROR, "Unable to perform SSL initialization:" + e.getMessage());
+ }
}
SimpleBindRequest request = bindDn != null && bindPwd != null
? newSimpleBindRequest(bindDn.toString(), bindPwd.toCharArray())
--
Gitblit v1.10.0