Add support for LDAPS testing

[CatiaCorreia]

Add to EmbeddedLdapProperties:
-boolean ldaps
-String sslBundleName
Create setLdapsListener method to create and set the LDAPS listener for the server. Add test for new embedded LDAP setup.
Issue#48060

Signed-off-by: CatiaCorreia [email protected]

[snicoll]

Can you please review the proposal. I've added a couple of comments for a start.

[snicoll]

I don't know what this is but you can't add a condition on a private method. What's that supposed to do?

[snicoll]

That doesn't test the SSL bundles, nor the binding. It doesn't work atm anyway (see previous comment).

[wilkinsona]

Thanks very much for the PR, @CatiaCorreia. I've left a few comments for your consideration.

[wilkinsona]

For consistency with other SSL configuration in Spring Boot, the properties should be grouped together in an SSL inner-class. That class should have an enabled property, a bundle property as well as properties for configuring things without using an SSL bundle. org.springframework.boot.amqp.autoconfigure.RabbitProperties.Ssl is a client-side example of that sort of arrangement.

[cdprete]

Hi @wilkinsona.
What's the plan of the Spring Boot team regarding such double configuration possibilities?

It is my understanding (e.g.: https://spring.io/blog/2023/06/07/securing-spring-boot-applications-with-ssl#securing-embedded-web-servers), which can easily be wrong, that using SSL bundles is now the preferred way and that the "old" way of specifying single properties should not be used anymore.
If it's indeed the case, does it really make sense to introduce something which is potentially already deprecated?

[wilkinsona]

SslBundles should be injected here using ObjectProvider<SslBundles> sslBundles. You can then use getIfAvailable() to get the bean if it exists or null if it does not.

[wilkinsona]

This won't have any effect here as conditions only work on classes and @Bean methods. It can be removed if you inject SslBundles as suggested above.

[CatiaCorreia]

Thank you for all the feedback. I will start working on the changes right away.

[CatiaCorreia]

I'm writing this message to give a status report. I have implemented the changes discussed above and have tried testing them. I believe I have successfully implemented the creation of the server with SSL without SslBundles. However when it comes to the SslBundles I haven't been able to get a successful test even thought I can't find a problem. There seems to be a problem when the client tries to get a connection to the server (LDAPException code 91). I have committed the changes to a separate branch as I was unsure if I should commit them to this one directly. The branch is found here: https://github.com/CatiaCorreia/spring-boot/tree/gh%2348060-Troubleshooting
At this stage I am trying to ascertain the motive for this error.

[CatiaCorreia]

As I haven't been able to figure out the problem I would like to know if its possible to receive some kind of advice or suggestion. If it isn't possible I will have to move on and tackle another issue.
Thank you for your time.

[cdprete]

I would argue here that this is not really the right exception type. Here you didn't use nor setup LDAP at all yet, so it's misleading to say that there is an error with LDAP itself.
It's purely a configuration issue.

@wilkinsona isn't there maybe some Spring(Boot) config-specific exception which may be used here?

[wilkinsona]

Thanks for trying to help, @cdprete, but things have moved on with https://github.com/CatiaCorreia/spring-boot/tree/gh%2348060-Troubleshooting containing the latest code.

[cdprete]

Thanks for pointing it out @wilkinsona.

[wilkinsona]

Thanks for the latest updates, @CatiaCorreia.

As I haven't been able to figure out the problem I would like to know if its possible to receive some kind of advice or suggestion.

The SSL bundle test that was failing was trying to use a different protocol when creating the SSL context (TLS rather than TLSv1.2). testServerWithSslBundle passes when I add this line to it:

propertyValues.add("spring.ssl.bundle.jks.test.protocol=TLSv1.2");

Would you like to force-push your gh#48060 branch with the changes in gh#48060-Troubleshooting and this additional line? That should get us into a position where we can merge this once we've created our 4.0.x branch and main is producing 4.1.0 snapshots.

[CatiaCorreia]

Thank you very much for the help @wilkinsona. I'll make the changes as soon as I can and do the force push as requested.

[cdprete]

Security-wise, TLS v3 should be the default and not v1 which is not really supported anymore.

[wilkinsona]

The default will be TLSv1.2 as long as the JDK supports it (see the try block below). AFAIK, there's no TLS v3. There is, however, TLSv1.3.

[cdprete]

Yes, with v3 I meant 1.3.

The default will be TLSv1.2 as long as the JDK supports it

Which I would argue, security-wise, why not v1.3 if available?
Personally, I think that the default should be the most secure supported option and the user must take an explicit risk by explicitly configure the application to something lower if he/she really wants to.

Also, although it would be weird, getProtocols() can actually return null which would lead to a NPE when the loop gets initiated. Dunno if you want to handle/check such weird case to begin with.

[CatiaCorreia]

I chose to use the TLSv1.2 by default to be consistent with what is present in other modules of spring boot. @wilkinsona should I keep the consistency or would it be better to use the TLSv1.3? Regarding the possibility of getProtocols() returning null I will make the changes to test for it.

[cdprete]

I chose to use the TLSv1.2 by default to be consistent with what is present in other modules of spring boot.

I see.
Fine for me then.