8200666: Improve LDAP support

Reviewed-by: chegar

src/share/classes/com/sun/jndi/ldap/Connection.java

 /*
- * Copyright (c) 1999, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -27,26 +27,27 @@ package com.sun.jndi.ldap;
 
 import java.io.BufferedInputStream;
 import java.io.BufferedOutputStream;
-import java.io.InterruptedIOException;
 import java.io.IOException;
-import java.io.OutputStream;
 import java.io.InputStream;
+import java.io.InterruptedIOException;
+import java.io.OutputStream;
+import java.lang.reflect.Constructor;
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
 import java.net.Socket;
-import javax.net.ssl.SSLSocket;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+import java.util.Arrays;
 
 import javax.naming.CommunicationException;
-import javax.naming.ServiceUnavailableException;
-import javax.naming.NamingException;
 import javax.naming.InterruptedNamingException;
-
+import javax.naming.NamingException;
+import javax.naming.ServiceUnavailableException;
 import javax.naming.ldap.Control;
+import javax.net.ssl.SSLParameters;
+import javax.net.ssl.SSLSocket;
 
-import java.lang.reflect.Method;
-import java.lang.reflect.Constructor;
-import java.lang.reflect.InvocationTargetException;
-import java.util.Arrays;
 import sun.misc.IOUtils;
-//import javax.net.SocketFactory;
 
 /**
   * A thread that creates a connection to an LDAP server.
@@ -159,7 +160,18 @@ public final class Connection implements Runnable {
 
     int readTimeout;
     int connectTimeout;
-
+    private static final boolean IS_HOSTNAME_VERIFICATION_DISABLED
+            = hostnameVerificationDisabledValue();
+
+    private static boolean hostnameVerificationDisabledValue() {
+        PrivilegedAction<String> act = () -> System.getProperty(
+                "com.sun.jndi.ldap.object.disableEndpointIdentification");
+        String prop = AccessController.doPrivileged(act);
+        if (prop == null) {
+            return false;
+        }
+        return prop.isEmpty() ? true : Boolean.parseBoolean(prop);
+    }
     // true means v3; false means v2
     // Called in LdapClient.authenticate() (which is synchronized)
     // when connection is "quiet" and not shared; no need to synchronize
@@ -368,15 +380,20 @@ public final class Connection implements Runnable {
         // the SSL handshake following socket connection as part of the timeout.
         // So explicitly set a socket read timeout, trigger the SSL handshake,
         // then reset the timeout.
-        if (connectTimeout > 0 && socket instanceof SSLSocket) {
+        if (socket instanceof SSLSocket) {
             SSLSocket sslSocket = (SSLSocket) socket;
             int socketTimeout = sslSocket.getSoTimeout();
-
-            sslSocket.setSoTimeout(connectTimeout); // reuse full timeout value
+            if (!IS_HOSTNAME_VERIFICATION_DISABLED) {
+                SSLParameters param = sslSocket.getSSLParameters();
+                param.setEndpointIdentificationAlgorithm("LDAPS");
+                sslSocket.setSSLParameters(param);
+            }
+            if (connectTimeout > 0) {
+                sslSocket.setSoTimeout(connectTimeout); // reuse full timeout value
+            }
             sslSocket.startHandshake();
             sslSocket.setSoTimeout(socketTimeout);
         }
-
         return socket;
     }