> > 3.1.2. StartTLS Response > > > > The server will return a resultCode other than success (as > > documented in [Protocol] section 4.13.2.2) if it is unwilling or > > unable to negotiate TLS. In this case the LDAP session is left > > without a TLS layer. > > This only says what happens at non‑success, not at success. > [Protocol] is rather sparse about it too.
Based on Hallvard's query above, Jim Sermersheim and I recommend a change to paragraph 2 of [Protocol] section 14.4.2 to explicitly state that a success resultCode indicates that the protocol peers should begin TLS negotiation. I'll leave it to Jim to craft the wording.
Thanks,
Roger |