Shibboleth Security Advisory [ 27 February 2012 ]

Identity Provider LDAPS Connections Do Not Perform Hostname Verification
=================
The LDAP support shipped with the Sun/Oracle and OpenJDK JVMs does not perform 
hostname verification when using LDAPS (see [1] for why).  The lack of hostname
verification means that while the connection between the IdP and LDAP server is
encrypted, the IdP has no way to verify it's actually communicating with the
appropriate LDAP server.

Also, note all other LDAP libraries that we looked at (Apache Directory, JLDAP,
UnboundID, and Netscape LDAP) also exhibit the same behavior so you may want to
check any other applications you have that use LDAPS.

Affected Versions
=================
All 1.x and 2.x versions of the Identity Provider

Recommendations
=================
Use startTLS, if your directory supports it, or upgrade to IdP v 2.3.6.

Credits
=================
Scott Cantor, The Ohio State University

URL for this Security Advisory
http://shibboleth.internet2.edu/secadv/secadv_20120227.txt

[1] The stated reason for this is that since LDAPS is not officially defined 
(it was just made up by the OpenLDAP team) there is no specification that says 
this check is required.  The use of the startTLS operation, which is formally 
defined, does properly perform hostname verification.