Re: [ldap-sdk-discuss] TLS host name verifier
A Java-based LDAP API
Brought to you by:
dirmgr,
kennethleo
Menu
▾
▴
Re: [ldap-sdk-discuss] TLS host name verifier
|
From: Alon Bar-L. <alo...@gm...> - 2014-05-18 10:24:33
|
On Sun, May 18, 2014 at 12:05 PM, Neil A. Wilson <nei...@un...> wrote: > On 05/17/2014 06:23 AM, Alon Bar-Lev wrote: >> >> Hi, >> >> I would like to resume our initial discussion regarding explicit >> support of HostnameVerifier as a security feature and not implicitly >> via the callbacks. >> >> The host verification should be done immediately after SSL connection >> establishment, you can see the J2SE source code for the point it is >> done[1][2], just after the SSLSocket::startHandshake(), which is the >> expected behaviour. >> >> Spoofing prevention is security feature, it is not application >> feature, implementing it using interfaces that are not designed for >> explicit security use is implementation specific and subject to break. >> >> In the ldap sdk case, the LDAPConnectionReader should be modified to >> call HostnameVerifier interface after every call to >> sslSocket.startHandshake(). >> >> It is one of the important gaps that I have. >> >> Regards, >> Alon Bar-Lev > > > I have implemented support for this capability in the form of a new > SSLSocketVerifier API. You can use the LDAPConnectionOptions class to > specify the SSLSocketVerifier instance that should be used, and this > verifier will be invoked for any SSLSocket instance that is created (whether > via a connection that is secured when it is created, or one that is secured > after the fact using StartTLS). The default implementation doesn't perform > any verification (in order to preserve backward-compatible behavior), but > the com.unboundid.util.HostNameSSLSocketVerifier class provides support for > hostname verification, including support for wildcard certificates and > making use of subjectAltName extensions. Thank you! Question: Why have you selected to expose SSLSocket and not SSLSession? > > > >> >> [1] >> http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/8-b132/sun/net/www/protocol/https/HttpsClient.java#563 >> [2] >> http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/8-b132/com/sun/jndi/ldap/ext/StartTlsResponseImpl.java#203 >> >> >> ------------------------------------------------------------------------------ >> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE >> Instantly run your Selenium tests across 300+ browser/OS combos. >> Get unparalleled scalability from the best Selenium testing platform >> available >> Simple to use. Nothing to install. Get started now for free." >> http://p.sf.net/sfu/SauceLabs >> >> _______________________________________________ >> ldap-sdk-discuss mailing list >> lda...@li... >> https://lists.sourceforge.net/lists/listinfo/ldap-sdk-discuss >> > > > > ------------------------------------------------------------------------------ > "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE > Instantly run your Selenium tests across 300+ browser/OS combos. > Get unparalleled scalability from the best Selenium testing platform > available > Simple to use. Nothing to install. Get started now for free." > http://p.sf.net/sfu/SauceLabs > _______________________________________________ > ldap-sdk-discuss mailing list > lda...@li... > https://lists.sourceforge.net/lists/listinfo/ldap-sdk-discuss > |
