Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8259707

LDAP channel binding does not work with StartTLS extension

    XMLWordPrintable

    Details

      Backports

        Description

        The fix for https://bugs.openjdk.java.net/browse/JDK-8245527 enables LDAP channel binding support for GSS/Kerberos authentication over LDAPS.

        However this does not work if the LDAP StartTLS extension is used. Code may connect to Active Directory anonymously to read the rootDSE and then switch to TLS before authenticating.

        The server certificate used available in the SSLSession returned from StartTlsResponse.negotiate() can be used to determine the channel binding data.

          Attachments

          1. CBwithTLS.java
            5 kB
            Richard Evans
          2. ldtest.conf
            0.1 kB
            Richard Evans

            Issue Links

              Activity

                People

                Assignee:
                abakhtin Alexey Bakhtin
                Reporter:
                revans Richard Evans
                Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved: