Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-4752

Invalid certificate should be automatically not trusted when using '--no-prompt' option

    Details

    • Type: Bug
    • Status: Done
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 6.0.0
    • Fix Version/s: 6.0.0
    • Component/s: tools
    • Labels:
    • Flagged:
      Impediment

      Description

      Found using OpenDJ 6.0.0 rev f573eca56aa

      Scenario
      1. install a server and create a LDAPS connection handler with keystore containing a certificate with a wrong hostname
      2. do a ldapsearch on this server with '--no-prompt' option and verify that the certificate is not trusted automatically

      $ opendj/bin/ldapsearch -p 1639 --no-prompt -P /tmp/java-client-truststore.jks -T truststorepass -D "cn=Directory Manager" -w password -b dc=com -s base -Z "objectclass=*
      
      Server Certificate:
      
      User DN  : CN=*.wrong.forgerock.com, O=Forgerock, C=FR
      Validity : From 'Tue Feb 06 17:29:08 CET 2018'
                   To 'Fri Feb 04 17:29:08 CET 2028'
      Issuer   : CN=*.root-ca.forgerock.com, O=Forgerock, C=FR
      
      
      
      Do you trust this server certificate?
      
        1) No
        2) Yes, for this session only
        3) View certificate details
      
      Enter choice: [2]:
      

      ==> here despite the '--no-prompt' option the command is blocked on the certificate validation
      ==> moreover the default choice with '--no-prompt' should be [1]

      To reproduce the issue:

      $ ./run-pybot.py -s badssl_group.ldaptools -t Ldapsearch_wronghost -v -n DJ
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                ylecaillez Yannick Lecaillez
                Reporter:
                csovant Christophe Sovant
                QA Assignee:
                Viktor Nawrath
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: