Re: [ldap-sdk-discuss] TLS host name verifier
A Java-based LDAP API
Brought to you by:
dirmgr,
kennethleo
Menu
▾
▴
Re: [ldap-sdk-discuss] TLS host name verifier
|
From: Neil A. W. <nei...@un...> - 2014-05-18 09:05:43
|
On 05/17/2014 06:23 AM, Alon Bar-Lev wrote: > Hi, > > I would like to resume our initial discussion regarding explicit > support of HostnameVerifier as a security feature and not implicitly > via the callbacks. > > The host verification should be done immediately after SSL connection > establishment, you can see the J2SE source code for the point it is > done[1][2], just after the SSLSocket::startHandshake(), which is the > expected behaviour. > > Spoofing prevention is security feature, it is not application > feature, implementing it using interfaces that are not designed for > explicit security use is implementation specific and subject to break. > > In the ldap sdk case, the LDAPConnectionReader should be modified to > call HostnameVerifier interface after every call to > sslSocket.startHandshake(). > > It is one of the important gaps that I have. > > Regards, > Alon Bar-Lev I have implemented support for this capability in the form of a new SSLSocketVerifier API. You can use the LDAPConnectionOptions class to specify the SSLSocketVerifier instance that should be used, and this verifier will be invoked for any SSLSocket instance that is created (whether via a connection that is secured when it is created, or one that is secured after the fact using StartTLS). The default implementation doesn't perform any verification (in order to preserve backward-compatible behavior), but the com.unboundid.util.HostNameSSLSocketVerifier class provides support for hostname verification, including support for wildcard certificates and making use of subjectAltName extensions. > > [1] http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/8-b132/sun/net/www/protocol/https/HttpsClient.java#563 > [2] http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/8-b132/com/sun/jndi/ldap/ext/StartTlsResponseImpl.java#203 > > ------------------------------------------------------------------------------ > "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE > Instantly run your Selenium tests across 300+ browser/OS combos. > Get unparalleled scalability from the best Selenium testing platform available > Simple to use. Nothing to install. Get started now for free." > http://p.sf.net/sfu/SauceLabs > _______________________________________________ > ldap-sdk-discuss mailing list > lda...@li... > https://lists.sourceforge.net/lists/listinfo/ldap-sdk-discuss > |
