[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: failover config: servers with same DNS address and TLS, subjectAltName extension

To: Emmanuel Dreyfus <manu@netbsd.org>, openldap-software@openldap.org
Subject: Re: failover config: servers with same DNS address and TLS, subjectAltName extension
From: Quanah Gibson-Mount <quanah@zimbra.com>
Date: Mon, 23 Jul 2007 13:18:43 -0700
Content-disposition: inline
In-reply-to: <1i1q4bm.n8kr0i5rxhhwM%manu@netbsd.org>
References: <1i1q4bm.n8kr0i5rxhhwM%manu@netbsd.org>

--On July 23, 2007 10:09:33 PM +0200 Emmanuel Dreyfus <manu@netbsd.org> wrote:

Quanah Gibson-Mount <quanah@zimbra.com> wrote:

Just note that using SSL over port 636 is not a defined protocol, and may
go away in the future.  Avoidance of its use when possible recommended.


I have this in /etc/services:
ldaps           636/tcp    ldap protocol over TLS/SSL (was sldap)

And checking the authoritative source confirms it's registered.
http://www.iana.org/assignments/port-numbers

So what's wrong with LDAP/SSL over port 636?

It is not defined by any RFC, it is simply a hack that was put in to address an issue with LDAPv2. LDAPv3 implements the RFC defined STARTTLS operation (RFC 2830). Just because it is registered with iana doesn't mean it is something that's been truly defined. As such, it faces the possibility of disappearing in the future.

--Quanah


--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration

References:
- Re: failover config: servers with same DNS address and TLS, subjectAltName extension
  - From: manu@netbsd.org (Emmanuel Dreyfus)

Prev by Date: Re: failover config: servers with same DNS address and TLS, subjectAltName extension
Next by Date: Re: failover config: servers with same DNS address and TLS, subjectAltName extension
Index(es):
- Chronological
- Thread