-
Notifications
You must be signed in to change notification settings - Fork 5.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
8259707: LDAP channel binding does not work with StartTLS extension #2085
Conversation
👋 Welcome back abakhtin! A progress list of the required criteria for merging this PR into |
@alexeybakhtin The following label will be automatically applied to this pull request:
When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command. |
Webrevs
|
Can you add a test for this or is it too hard? There are existing tests for StartTLS in the security/infra area -- could they be enhanced to test this case? |
Unfortunately, I can not find any LDAP StartTLS Extended Operation regression tests. security/infra area contains RevocationChecker tests. They can not be used for this scenario. |
Ok, please add a noreg-hard label to the bug. |
@alexeybakhtin This change now passes all automated pre-integration checks. ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details. After integration, the commit message for the final commit will be:
You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been 112 new commits pushed to the
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details. As you do not have Committer status in this project an existing Committer must agree to sponsor your change. Possible candidates are the reviewers of this PR (@seanjmullan, @dfuch, @AlekseiEfimov) but any other Committer may sponsor as well. ➡️ To flag this PR as ready for integration with the above commit message, type |
Sean, Thank you for review |
/integrate |
@alexeybakhtin |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That look reasonable to me. But what would happen if at some point after performing some LDAP operations, you called StartTLSResponse::close and then after some more time you tried to again create a StartTLSRequest on the same context? Would that work - or would you be using a possibly obsolete channel binding obtained from the first upgrade?
The change looks valid to me too.
|
New ChannelBinding Data will be recreated for every TLS connection and provided to SASL Client in the new environment properties set (cloned from the original).
|
Hi Alexey, Aleksei and I have concern because this code uses a best regards, -- daniel |
Hi Daniel, Aleksei, You are right, the second StartTLS request works incorrectly because of a single CompletableFuture. I do not know if several StartTLS sessions are used in the wild, but there are no such restrictions in the spec. I have updated the review to create new CompletableFuture for each TLS session. Updated test, suggested by Aleksei is passed. I have verified that the Channel Binding data is created on the base of a new cert object every TLS session. |
} | ||
|
||
public boolean isTlsConnection() { | ||
return sock instanceof SSLSocket; | ||
private HandshakeListener tlsHandshakeListener; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe that volatile
modifier should be added here. And it could be beneficial for future maintainers to have here a comment block with a brief description of when tlsHandshakeListener
is used.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree. Added comments and volatile modifier.
|
||
private class HandshakeListener implements HandshakeCompletedListener { | ||
|
||
private CompletableFuture<X509Certificate> tlsHandshakeCompleted = |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
tlsHandshakeCompleted
could be made final
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you. Made it final
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi Alexey,
The latest changes look good to me.
Thanks for handling a case of sequential StartTLS requests on one LDAP context and running the modified test. I've also checked that existing LDAP tests shows no failures with the proposed changes.
You might also want to update last modification years to 2021
in both files.
/integrate |
@alexeybakhtin |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Thanks for taking this on!
I will sponsor this! |
/sponsor |
@dfuch @alexeybakhtin Since your change was applied there have been 112 commits pushed to the
Your commit was automatically rebased without conflicts. Pushed as commit 874aef4. 💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored. |
Please review a small patch to enable LDAP TLS Channel Binding with StartTLS Extension.
Test from the bug report and jtreg javax/naming tests are passed.
Progress
Issue
Reviewers
Download
$ git fetch https://git.openjdk.java.net/jdk pull/2085/head:pull/2085
$ git checkout pull/2085