Description
sonar issues a warning regarding usage of week SSL/TLS protocols the following code in LDAPIdentityProvider:
// make sure the JVM supports the TLSv1.1 try { enabledSSLProtocols = null; SSLContext.getInstance("TLSv1.1"); } catch (NoSuchAlgorithmException e) { log.warn("JDK does not support TLSv1.1. Disabling it."); enabledSSLProtocols = new String[]{"TLSv1"}; }
This code has been introduced with OAK-2951 (Regression: SSL errors with latest ldap client). My preference for addressing this would be to drop the try/catch altogether and replace with an optional configuration option that allows to explicitly defined protocols to be enabled on the LDAPConnectionConfiguration.
The downside of this approach: current usage of the oak-auth-ldap that relied on having an automatic fallback to TLSv1 installed would no longer work. However, I am not sure how big that risk is, given that TLSv1.2 is required to be supported since java 9 (https://docs.oracle.com/javase/9/docs/api/javax/net/ssl/SSLContext.html)
Attachments
Attachments
Issue Links
- incorporates
-
OAK-9446 update documentation reflecting config option added with OAK-9442
- Closed