[Date Prev][Date Next]
RE: TLS/SSL future direction
> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Drew Raines
> Sent: Wednesday, January 02, 2002 3:18 PM
> It seems like ldaps is becoming obsolete, from comments I've seen on this
> list in the last few months. I have Solaris machines currently
> authenticating against an OpenLDAP 2.0.18 slapd through TLS and SSL. I'm
> trying to get my linux machines to do the same. Would it behoove me to
> switch everything to TLS-only? If this is the case, how can I restrict port
> 389 to only accept start_tls connections?
Look into the "requires strong" and "security tls" options in slapd.conf.
> TLS and SSL are always mentioned together even though they're seemingly
> quite different implementations. What gives?
TLS is the standards-based name for SSL version 3.1. They are usually
mentioned together because they are nearly identical. We use them together
because the same library (OpenSSL) provides SSLv2, SSLv3, and SSLv3.1/TLS implementations for us.
I personally prefer to keep my sensitive data on its own port, so that it can be controlled by other mechanisms (e.g. firewall
The LDAPv3 spec may dictate that Start_TLS is the way to go, but I find ldaps URLs too useful to give up.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
Symas: Premier OpenSource Development and Support