[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap_sasl_interactive_bind_s: Local error ???

To: billd <bd@emtex.com>
Subject: Re: ldap_sasl_interactive_bind_s: Local error ???
From: Tony Earnshaw <tonni@billy.demon.nl>
Date: 21 Nov 2002 14:55:38 +0100
Cc: "openldap-software@OpenLDAP.org" <openldap-software@OpenLDAP.org>
In-reply-to: <3DDCAE7B.3000301@emtex.com>
Organization:
References: <200211200821.QAA122900@ns2.sdb.ac.cn> <1037794539.2446.89.camel@localhost> <3DDB8371.3040406@emtex.com> <1037800244.5148.144.camel@localhost> <3DDB935C.4050102@emtex.com> <1037823327.5148.232.camel@localhost> <3DDCAE7B.3000301@emtex.com>

tor, 2002-11-21 kl. 10:59 skrev billd:

> I think you have the wrong end of the
> stick...  I'm not getting thrown out by anything,
> my ldap server is working fine,

:-p

>  I was just curious
> about what you (and others) said about SSL and TLS being
> different.

To my weak and feeble brain they are different in as much as if you have
an SSL service running on port 995 and a client keeps shouting:
"starttls" at it and nothing happens, it's a different protocol. And if
a mail client tries to do "ehlo/helo" to a mail server in SSL instead of
in plain text, and the server doesn't react, it's a different protocol.

> I think it's quite confusing when people
> say that TLS is not the same thing as SSL when on the
> openSSL site, they pretty much consistently use
> SSL/TLS as one entity.

It's only the encryption handshakes/algorithms that are the same. In
that respect you should be able to say the IPSEC should also be
included. FreeS/WAN uses Openssl too, but the whole business of setting
up an IP layer level VPN tunnel with IPSEC is so radically different
from the above, that no one in his right mind would include it. There
are umpteen rfcs for all of the above and I've had to read and memorize
far too many of them.

> I was just trying to clarify that in fact
> the difference is the startTLS command which can
> be issued on the standard listener port to request
> to start an encrypted session... and if the application
> honours the startTLS command, or if it is older and
> has a seperate port for secure startup.

It's no good a client shouting "starttls" at a FreeS/WAN/IPSEC peer,
although ultimate handshakes could (not necessarily will) also result in
exactly the same sort of (encapsulated) encrypted transport - though at
a different OSI layer level. You really ought to think of each as
different protocols.

Start reading rfcs!

Best,

Tony

-- 

Tony Earnshaw

When all's said and done ...
there's nothing left to say or do.

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl

References:
- ldap_sasl_interactive_bind_s: Local error ???
  - From: "Zhang Fei" <zhfei@sdb.ac.cn>
- Re: ldap_sasl_interactive_bind_s: Local error ???
  - From: Tony Earnshaw <tonni@billy.demon.nl>
- Re: ldap_sasl_interactive_bind_s: Local error ???
  - From: Bill Dossett <bd@emtex.com>
- Re: ldap_sasl_interactive_bind_s: Local error ???
  - From: Tony Earnshaw <tonni@billy.demon.nl>
- Re: ldap_sasl_interactive_bind_s: Local error ???
  - From: Bill Dossett <bd@emtex.com>
- Re: ldap_sasl_interactive_bind_s: Local error ???
  - From: Tony Earnshaw <tonni@billy.demon.nl>
- Re: ldap_sasl_interactive_bind_s: Local error ???
  - From: billd <bd@emtex.com>

Prev by Date: Re: Does a Slave-server needs to see a Master ?
Next by Date: entryUUID
Index(es):
- Chronological
- Thread