[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: StartTLS downgrading



At 04:30 PM 2/23/2003, Howard Chu wrote:
>> -----Original Message-----
>> From: owner-openldap-software@OpenLDAP.org
>> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Timothy H Folks
>
>> I found the following note in the LDAP tips section of Sun's JNDI
>> tutorial:
>>
>> Note 2: The OpenLDAP server, upon receiving the tls.close(),
>> will shut
>> down the connection instead of downgrading it to a plain connection.
>>
>> Is this still true?
>
>Yes.


>The RFC never mandated a particular behavior for this operation.

For clarity here, RFC 2830, 4.1 described graceful TLS closure
however states that it continuing to process LDAP messages
post closure is a MAY (e.g., optional).

>OpenLDAP just does whatever OpenSSL does. OpenSSL's "close" function tears
>down the SSL session and closes the socket.

OpenSSL issues aside, OpenLDAP purposefully refuses to continue
to process LDAP messages after TLS closure for security reasons.

Kurt