From 3d89796e2132d07e7b159c965c75d01d4c2d1b17 Mon Sep 17 00:00:00 2001
From: Matthew Swift <matthew.swift@forgerock.com>
Date: Tue, 22 Jan 2013 10:35:00 +0000
Subject: [PATCH] Fix OPENDJ-673: LDAP SDK SSL connections use Grizzly default SSL configurator even when SSLContext is configured
---
opendj-sdk/opendj3/opendj-ldap-sdk/src/main/java/com/forgerock/opendj/ldap/LDAPServerFilter.java | 24 ++++++++++++++++++++++--
opendj-sdk/opendj3/opendj-ldap-sdk/src/main/java/com/forgerock/opendj/ldap/LDAPConnection.java | 25 +++++++++++++++++++++++--
2 files changed, 45 insertions(+), 4 deletions(-)
diff --git a/opendj-sdk/opendj3/opendj-ldap-sdk/src/main/java/com/forgerock/opendj/ldap/LDAPConnection.java b/opendj-sdk/opendj3/opendj-ldap-sdk/src/main/java/com/forgerock/opendj/ldap/LDAPConnection.java
index 475170f..bb5c88a 100644
--- a/opendj-sdk/opendj3/opendj-ldap-sdk/src/main/java/com/forgerock/opendj/ldap/LDAPConnection.java
+++ b/opendj-sdk/opendj3/opendj-ldap-sdk/src/main/java/com/forgerock/opendj/ldap/LDAPConnection.java
@@ -22,7 +22,7 @@
*
*
* Copyright 2010 Sun Microsystems, Inc.
- * Portions Copyright 2011-2012 ForgeRock AS
+ * Portions Copyright 2011-2013 ForgeRock AS
*/
package com.forgerock.opendj.ldap;
@@ -31,6 +31,7 @@
import java.io.IOException;
import java.net.InetSocketAddress;
+import java.security.GeneralSecurityException;
import java.util.List;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.CopyOnWriteArrayList;
@@ -51,6 +52,8 @@
import org.forgerock.opendj.ldap.ResultCode;
import org.forgerock.opendj.ldap.ResultHandler;
import org.forgerock.opendj.ldap.SearchResultHandler;
+import org.forgerock.opendj.ldap.SSLContextBuilder;
+import org.forgerock.opendj.ldap.TrustManagers;
import org.forgerock.opendj.ldap.requests.AbandonRequest;
import org.forgerock.opendj.ldap.requests.AddRequest;
import org.forgerock.opendj.ldap.requests.BindClient;
@@ -85,6 +88,23 @@
* LDAP connection implementation.
*/
final class LDAPConnection extends AbstractAsynchronousConnection implements Connection {
+ /**
+ * A dummy SSL client engine configurator as SSLFilter only needs client
+ * config. This prevents Grizzly from needlessly using JVM defaults which
+ * may be incorrectly configured.
+ */
+ private static final SSLEngineConfigurator DUMMY_SSL_ENGINE_CONFIGURATOR;
+ static {
+ try {
+ DUMMY_SSL_ENGINE_CONFIGURATOR =
+ new SSLEngineConfigurator(new SSLContextBuilder().setTrustManager(
+ TrustManagers.distrustAll()).getSSLContext());
+ } catch (GeneralSecurityException e) {
+ // This should never happen.
+ throw new IllegalStateException("Unable to create Dummy SSL Engine Configurator", e);
+ }
+ }
+
private final AtomicBoolean bindOrStartTLSInProgress = new AtomicBoolean(false);
private final org.glassfish.grizzly.Connection<?> connection;
private final LDAPWriter ldapWriter = new LDAPWriter();
@@ -791,7 +811,8 @@
.toArray(new String[protocols.size()]));
sslEngineConfigurator.setEnabledCipherSuites(cipherSuites.isEmpty() ? null
: cipherSuites.toArray(new String[cipherSuites.size()]));
- final SSLFilter sslFilter = new SSLFilter(null, sslEngineConfigurator);
+ final SSLFilter sslFilter =
+ new SSLFilter(DUMMY_SSL_ENGINE_CONFIGURATOR, sslEngineConfigurator);
installFilter(sslFilter);
sslFilter.handshake(connection, completionHandler);
}
diff --git a/opendj-sdk/opendj3/opendj-ldap-sdk/src/main/java/com/forgerock/opendj/ldap/LDAPServerFilter.java b/opendj-sdk/opendj3/opendj-ldap-sdk/src/main/java/com/forgerock/opendj/ldap/LDAPServerFilter.java
index 6e89798..336979c 100644
--- a/opendj-sdk/opendj3/opendj-ldap-sdk/src/main/java/com/forgerock/opendj/ldap/LDAPServerFilter.java
+++ b/opendj-sdk/opendj3/opendj-ldap-sdk/src/main/java/com/forgerock/opendj/ldap/LDAPServerFilter.java
@@ -22,7 +22,7 @@
*
*
* Copyright 2010 Sun Microsystems, Inc.
- * Portions copyright 2012 ForgeRock AS.
+ * Portions copyright 2012-2013 ForgeRock AS.
*/
package com.forgerock.opendj.ldap;
@@ -31,6 +31,7 @@
import java.io.IOException;
import java.net.InetSocketAddress;
+import java.security.GeneralSecurityException;
import java.util.concurrent.atomic.AtomicBoolean;
import javax.net.ssl.SSLContext;
@@ -46,6 +47,8 @@
import org.forgerock.opendj.ldap.ResultHandler;
import org.forgerock.opendj.ldap.SearchResultHandler;
import org.forgerock.opendj.ldap.ServerConnection;
+import org.forgerock.opendj.ldap.SSLContextBuilder;
+import org.forgerock.opendj.ldap.TrustManagers;
import org.forgerock.opendj.ldap.controls.Control;
import org.forgerock.opendj.ldap.requests.AbandonRequest;
import org.forgerock.opendj.ldap.requests.AddRequest;
@@ -220,7 +223,7 @@
sslEngineConfigurator.setEnabledProtocols(protocols);
sslEngineConfigurator.setWantClientAuth(wantClientAuth);
sslEngineConfigurator.setNeedClientAuth(needClientAuth);
- installFilter(new SSLFilter(sslEngineConfigurator, null));
+ installFilter(new SSLFilter(sslEngineConfigurator, DUMMY_SSL_ENGINE_CONFIGURATOR));
}
}
@@ -637,6 +640,23 @@
private static final LDAPWriter LDAP_WRITER = new LDAPWriter();
+ /**
+ * A dummy SSL client engine configurator as SSLFilter only needs server
+ * config. This prevents Grizzly from needlessly using JVM defaults which
+ * may be incorrectly configured.
+ */
+ private static final SSLEngineConfigurator DUMMY_SSL_ENGINE_CONFIGURATOR;
+ static {
+ try {
+ DUMMY_SSL_ENGINE_CONFIGURATOR =
+ new SSLEngineConfigurator(new SSLContextBuilder().setTrustManager(
+ TrustManagers.distrustAll()).getSSLContext());
+ } catch (GeneralSecurityException e) {
+ // This should never happen.
+ throw new IllegalStateException("Unable to create Dummy SSL Engine Configurator", e);
+ }
+ }
+
private final LDAPReader ldapReader;
private final LDAPListenerImpl listener;
private final int maxASN1ElementSize;
--
Gitblit v1.10.0