A bug was introduced in JNDI that affects all Java versions above 8. The bug will manifest as a NullPointerException when LDAPS is used, but it affects all JNDI connections. In particular, all functions that perform bind operations will orphan an open connection. Until
Another bug was introduced more recently in a subset of Java 8 versions that in some cases may be the latest versions available on particular platforms, and this bug is completely fatal to all TLS usage because it causes hostname verification failures.
Unless JNDI is fixed the following instructions can be used to work around the bug.
...
- Add -Dorg.ldaptive.provider=org.ldaptive.provider.unboundid.UnboundIDProvider as a runtime switch to Java.
- For example, on Jetty, it can be added to start.ini or another ini file loaded from the start.d directory.
On Windows if you are running procrun (includes the Jetty software installed by the Shibboleth Windows Installer), you set this via the "Java Options" table of the "Java" tab of the "Commons Daemon Service Manager" (C:\Program Files (x86)\Shibboleth\ProcRun\shibd_idpw.exe for a Shibboleth Windows installation, and tomcatw.exe for a Tomcat installation).
- Add the ldaptive-unboundid-1.0.13.jar and unboundid-ldapsdk-4.0.9.jar libraries to your classpath
- Typically this is done by adding them to the edit-webapp directory and rebuilding your warfile via bin/build.sh or bin/built.bat
References
JDK Bug Reporthttps://bugs.openjdk.java.net/browse/JDK-8217606
https://mail.openjdk.java.net/pipermail/jdk8u-dev/2020-October/012887.html