[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: StartTLS issues (ITS#1590)

At 06:45 AM 5/27/2004, Kirill Kovalenko wrote:
>2. Response
>Having fixed described above we came across another issues which concerns
>TLS extended operation response.
>As RFC2830 states:
>   A Start TLS extended response MUST contain a responseName field which
>   MUST be set to the same string as that in the responseName field
>   present in the Start TLS extended request.

The specification here is considered to be in error here.

An client which implements RFC 2830 must be capable of handling
responses from servers which do not implement RFC 2830.  And such
a server cannot be expected to know what responseName to specify,
this MUST is flawed.

We are working with the IETF to revise the specification to note
that responseName is optional (it really intended only for use
with unsolicited notifications, not extended operation responses
(as they are simply not needed)).

>Unfortunately OpenLDAP server doesn't return the 'responseName' field.

Why is it unfortunate?

>This defect may prevent other LDAP APIs from understanding the response of
>OpenLDAP servers.  For instance, Microsoft LDAP API doesn't accept the
>response without this field. We suggest to add the responseName field to the

It was previously reported that the Microsoft LDAP API implementation
did not require the responseName field to be present.  Please double