[OPENDJ-5620] Backport OPENDJ-5553: Rest2Ldap cannot connect to TLSv1.2 servers Created: 25/Oct/18 Updated: 08/Nov/19 Resolved: 28/May/19
|Component/s:||core apis, security|
|Affects Version/s:||6.5.0, 5.5.1|
|Reporter:||Chris Ridd||Assignee:||Chris Ridd|
Rest2Ldap uses SslContextBuilder in order to configure the SslOptions for any outbound LDAP connections to backend LDAP servers. However, SslContextBuilder is hardwired to use the "TLSv1" driver, which causes clients to be constrained to only TLSv1.0 unless specific protocols are enabled using javax.net.ssl.SSLEngine#setEnabledProtocols():
The SslContextBuilder should use the "TLS" driver which usually supports the full range of protocols enabled by the JVM (i.e. excluding black-listed protocols like SSLv3). Using "TLS" will allow clients such as Rest2Ldap to connect to any server as long as the server supports one of the protocols supported by the client. By default we should not touch the list of enabled protocols or ciphers. The user may choose to restrict the set of protocols or ciphers for additional security. Finally, we should never enable the full set of ciphers returned by SSLContext#getSupportedSSLParameters() since this includes ciphers that are not recommended for general use. In particular, enabling a cipher such as "TLS_DH_anon_WITH_AES_256_GCM_SHA384" on the client side will make the client vulnerable to a man in the middle attack since authentication is disabled.
|Comment by Ondrej Fuchsik [ 19/Jul/19 ]|
Verified with 5.5.3-SNAPSHOT rev. 64de54d4ab8.