Skip to content
Permalink
Browse files
[FIXED JENKINS-8132] Fixed a bug in TLS upgrade. Setting the socket f…
…actory kills the connection and the next time it tries to connect the client will attempt LDAPS.

The server, expecting an LDAP (without S) connection, resets the connection, which results in "connection reset" error. All in all, it wasn't working as TLS.

The correct way to specify the SSLSocketFactory is apparently to pass it to the negotiate method.
  • Loading branch information
kohsuke committed Nov 4, 2011
1 parent eb436bd commit a0a130eb6ed978731e14313ba65f0be17e6253dd
Showing 1 changed file with 3 additions and 5 deletions.
@@ -36,6 +36,7 @@
import javax.naming.ldap.LdapContext;
import javax.naming.ldap.StartTlsRequest;
import javax.naming.ldap.StartTlsResponse;
import javax.net.ssl.SSLSocketFactory;
import javax.servlet.ServletException;

import org.acegisecurity.AuthenticationException;
@@ -347,18 +348,15 @@ private LdapContext bind(String principalName, String password, SocketInfo serve
String ldapUrl = "ldap://" + server + '/';
String oldName = Thread.currentThread().getName();
Thread.currentThread().setName("Connecting to "+ldapUrl+" : "+oldName);
LOGGER.fine("Connecting to " + ldapUrl);
try {
LdapContext context = (LdapContext)LdapCtxFactory.getLdapCtxInstance(ldapUrl, props);

// try to upgrade to TLS if we can, but failing to do so isn't fatal
// see http://download.oracle.com/javase/jndi/tutorial/ldap/ext/starttls.html
try {
// specifying custom socket factory requires that a caller to set the correct
// context classloader so that this name resolves to the class instance.
context.addToEnvironment("java.naming.ldap.factory.socket", TrustAllSocketFactory.class.getName());

StartTlsResponse rsp = (StartTlsResponse)context.extendedOperation(new StartTlsRequest());
rsp.negotiate();
rsp.negotiate((SSLSocketFactory)TrustAllSocketFactory.getDefault());
LOGGER.fine("Connection upgraded to TLS");
} catch (NamingException e) {
LOGGER.log(Level.FINE, "Failed to start TLS. Authentication will be done via plain-text LDAP", e);

0 comments on commit a0a130e

Please sign in to comment.