powered by Jive Software

Possible SimpleSSLSocketFactory security issue

Hi,

I was configuring openfire to use LDAP using SSL and client certificates… and after 3 days of trial-and-error, I find out that the problem come from SimpleSSLSocketFactory being used to create LDAP context.

Commenting 'env.put(“java.naming.ldap.factory.socket”, “org.jivesoftware.util.SimpleSSLSocketFactory”); ’ in LdapManager and configuring the right system properties (javax.net.ssl.trustStore) solved the problem.

So my question: why is SimpleSSLSocketFactory? after further inspection it just look like an buggy SSL factory implementation (it bypass some trustmanager mechanisms, which make man-in-the-middle attack possible).

My left brain just could see that its purpose it to just make thinks work. But my right brain hurts just by the false sense of security that it may give to most users.

Any comments?

Regards,

Frederic