RFR: 8259707: LDAP channel binding does not work with StartTLS extension

Aleksei Efimov aefimov at openjdk.java.net
Wed Jan 20 15:11:51 UTC 2021

On Wed, 20 Jan 2021 14:41:26 GMT, Daniel Fuchs <dfuchs at openjdk.org> wrote:

>> Please review a small patch to enable LDAP TLS Channel Binding with StartTLS Extension.
>> Test from the bug report and jtreg javax/naming tests are passed.
> That look reasonable to me. But what would happen if at some point after performing some LDAP operations, you called StartTLSResponse::close and then after some more time you tried to again create a StartTLSRequest on the same context? Would that work - or would you be using a possibly obsolete channel binding obtained from the first upgrade?

The change looks valid to me too.
I believe Daniel question could be illustrated with the following change to `CBwithTLS` reproducer attached to the bug report:
--- CBwithTLS_Original.java	2021-01-20 14:56:09.620844903 +0000
+++ CBwithTLS.java	2021-01-20 15:01:47.253982227 +0000
@@ -45,7 +45,7 @@
         System.out.println(ctxt.getAttributes("", new String[]{"defaultNamingContext"}).get("defaultNamingContext").get());
         // Switch to TLS
+        for (int i=0; i<2; i++) {
         StartTlsResponse tls = (StartTlsResponse) ctxt.extendedOperation(new StartTlsRequest());
@@ -64,6 +64,9 @@
         Subject.doAs(lc.getSubject(), (PrivilegedAction<Void>) CBwithTLS::run);
+            lc.logout();
+            tls.close();
+        }
     private static Void run() {


PR: https://git.openjdk.java.net/jdk/pull/2085

More information about the core-libs-dev mailing list