[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#8675) tools continuing after ldap_start_tls_ returns non-LDAP error
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#8675) tools continuing after ldap_start_tls_ returns non-LDAP error
- From: kurt@boolean.net
- Date: Mon, 19 Jun 2017 13:09:55 +0000
- Auto-submitted: auto-generated (OpenLDAP-ITS)
it's standard conformance issue....
The spec says that upon StartTLS 'success', both TLS communications is =
established on the octet following the Start TLS response (and the =
request)... and that once one starts TLS communications, one can never =
go back to LDAP without TLS. So if there's a TLS failure (whether as =
part of TLS nego or later), LDAP communications cannot be continued =
(without TLS).
Only ignoring LDAP errors (rc > 0) ensures that if TLS negotiation =
fails, we don't attempt to send LDAP operations without TLS.
-- Kurt=