--- icedtea-3.8.0/openjdk/jdk/src/share/classes/com/sun/jndi/ldap/Connection.java 2018-09-18 10:25:46.640166044 +0200 +++ icedtea-3.8.0/openjdk/jdk/src/share/classes/com/sun/jndi/ldap/Connection.java 2018-09-18 10:26:40.104457189 +0200 @@ -27,26 +27,27 @@ import java.io.BufferedInputStream; import java.io.BufferedOutputStream; -import java.io.InterruptedIOException; import java.io.IOException; -import java.io.OutputStream; import java.io.InputStream; +import java.io.InterruptedIOException; +import java.io.OutputStream; +import java.lang.reflect.Constructor; +import java.lang.reflect.InvocationTargetException; +import java.lang.reflect.Method; import java.net.Socket; -import javax.net.ssl.SSLSocket; +import java.security.AccessController; +import java.security.PrivilegedAction; +import java.util.Arrays; import javax.naming.CommunicationException; -import javax.naming.ServiceUnavailableException; -import javax.naming.NamingException; import javax.naming.InterruptedNamingException; - +import javax.naming.NamingException; +import javax.naming.ServiceUnavailableException; import javax.naming.ldap.Control; +import javax.net.ssl.SSLParameters; +import javax.net.ssl.SSLSocket; -import java.lang.reflect.Method; -import java.lang.reflect.Constructor; -import java.lang.reflect.InvocationTargetException; -import java.util.Arrays; import sun.misc.IOUtils; -//import javax.net.SocketFactory; /** * A thread that creates a connection to an LDAP server. @@ -159,7 +160,18 @@ int readTimeout; int connectTimeout; + private static final boolean IS_HOSTNAME_VERIFICATION_DISABLED + = hostnameVerificationDisabledValue(); + private static boolean hostnameVerificationDisabledValue() { + PrivilegedAction act = () -> System.getProperty( + "com.sun.jndi.ldap.object.disableEndpointIdentification"); + String prop = AccessController.doPrivileged(act); + if (prop == null) { + return false; + } + return prop.isEmpty() ? true : Boolean.parseBoolean(prop); + } // true means v3; false means v2 // Called in LdapClient.authenticate() (which is synchronized) // when connection is "quiet" and not shared; no need to synchronize @@ -368,11 +380,17 @@ // the SSL handshake following socket connection as part of the timeout. // So explicitly set a socket read timeout, trigger the SSL handshake, // then reset the timeout. - if (connectTimeout > 0 && socket instanceof SSLSocket) { + if (socket instanceof SSLSocket) { SSLSocket sslSocket = (SSLSocket) socket; int socketTimeout = sslSocket.getSoTimeout(); - + if (!IS_HOSTNAME_VERIFICATION_DISABLED) { + SSLParameters param = sslSocket.getSSLParameters(); + param.setEndpointIdentificationAlgorithm("LDAPS"); + sslSocket.setSSLParameters(param); + } + if (connectTimeout > 0) { sslSocket.setSoTimeout(connectTimeout); // reuse full timeout value + } sslSocket.startHandshake(); sslSocket.setSoTimeout(socketTimeout); }