Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-6389

Reconsider fingerprint certificate mapper settings


    • Type: Improvement
    • Status: Done
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 7.0.0
    • Fix Version/s: 7.0.0
    • Component/s: config
    • Labels:


      A fingerprint certificate mapper, https://ea.forgerock.com/docs/ds/configref/#objects-fingerprint-certificate-mapper, "maps client certificates to user entries by looking for the MD5 or SHA1 fingerprint in a specified attribute of user entries." It also works with SHA-256 fingerprints.

      The primary use case appears to be avoiding storing entire certificates. It is fairly natural when configuring SASL EXTERNAL to allow authentication with a certificate to allow the client to essentially authenticate with the fingerprint. If clients are using self-signed certificates as a sort of replacement for username-password combinations, the fingerprint needs to be hard to fake.

      The present configuration uses the MD5 fingerprint by default. With MD5 it is relatively easy to generate collisions (https://www.win.tue.nl/hashclash/rogue-ca/). It could be helpful to switch to SHA-256 as the default for new deployments.

      However, now that OpenDJ has support for certificate syntax, it might be worth moving from storing only the fingerprint to storing the certificate, and perhaps indexing only the fingerprint or some other element used for mapping. If the server has the whole certificate, it is also easier to perform cleanup like finding and removing expired certs, and it is possible to support multiple mappings without updating entries.


          Issue Links



              • Assignee:
                miroslav.meca Miroslav Meca
                Mark Mark Craig
                Dev Assignee:
                Gaetan Boismal [X] (Inactive)
                QA Assignee:
                Miroslav Meca
              • Votes:
                0 Vote for this issue
                6 Start watching this issue


                • Created: