Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-730

SSL client auth policy default does not work as advertised out of the box


    • Type: Bug
    • Status: Done
    • Priority: Major
    • Resolution: Not a defect
    • Affects Version/s: 2.6.0, 2.4.6
    • Fix Version/s: Not applicable
    • Component/s: core server
    • Labels:


      By default when you install OpenDJ with a self-signed cert and enable StartTLS on the LDAP port, the client auth policy for the LDAP connection handler is set to optional:

      optional - Clients are requested to provide their own certificates when performing SSL negotiation, but still accept the connection even if the client does not provide a certificate.

      As Chris Ridd found, and then I reproduced, when you set up client certificate authentication as described in CR-1234, the result is LDAP 49.

      If you set ssl-client-auth-policy: required for the handler, and try again, the bind is successful.

      Oddly enough, if you change the value – I changed it a couple of times – and set it back to optional, then the bind is successful, too. Chris restarted OpenDJ and saw it work, but I saw it work without restarting the server.

      The expected behavior would be that it works with ssl-client-auth-policy: optional out of the box.




            • Assignee:
              matthew Matthew Swift
              Mark Mark Craig
              Dev Assignee:
              Matthew Swift
            • Votes:
              0 Vote for this issue
              1 Start watching this issue


              • Created: