Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-4714

SSL handshake now sends 16KB list of CA issuer DNs

    Details

    • Type: Bug
    • Status: Dev backlog
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 6.0.0
    • Fix Version/s: None
    • Component/s: devops, security
    • Labels:

      Description

      This was noticed while working on OPENDJ-4441. The LDAP connection supports SSL client auth which means that it sends the list of accepted CAs in its SSL handshake. We recently switched our default trust manager to the JVM trust manager which contains 250 or so CAs. The result is that the handshake message has ballooned from a few bytes to over 16KB.

      Suggested fix:

      We should either:

      • use a different trust manager by default
      • not send the list of accepted CAs (it's optional)
      • have an an advanced option to control whether the CA list is sent or not.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                matthew Matthew Swift
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: