[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: TLS/SSL future direction



> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Drew Raines
> Sent: Wednesday, January 02, 2002 3:18 PM

> It seems like ldaps is becoming obsolete, from comments I've seen on this
> list in the last few months.  I have Solaris machines currently
> authenticating against an OpenLDAP 2.0.18 slapd through TLS and SSL.  I'm
> trying to get my linux machines to do the same.  Would it behoove me to
> switch everything to TLS-only?  If this is the case, how can I restrict port
> 389 to only accept start_tls connections?

Look into the "requires strong" and "security tls" options in slapd.conf.

> TLS and SSL are always mentioned together even though they're seemingly
> quite different implementations.  What gives?

TLS is the standards-based name for SSL version 3.1. They are usually
mentioned together because they are nearly identical. We use them together
because the same library (OpenSSL) provides SSLv2, SSLv3, and SSLv3.1/TLS implementations for us.

I personally prefer to keep my sensitive data on its own port, so that it can be controlled by other mechanisms (e.g. firewall
configuration rules).
The LDAPv3 spec may dictate that Start_TLS is the way to go, but I find ldaps URLs too useful to give up.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support