[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: difference between ldaps and startTLS

To: h.b.furuseth@usit.uio.no
Subject: Re: difference between ldaps and startTLS
From: Richard Levitte - VMS Whacker <levitte@stacken.kth.se>
Date: Tue, 06 May 2003 11:09:20 +0200 (CEST)
Cc: ldidillon@prologue-software.fr, carl@execulink.com, openldap-software@OpenLDAP.org
In-reply-to: <HBF.20030506kfl@bombur.uio.no>
References: <00aa01c31332$a57ea9a0$050befd1@execulink.net> <5.1.1.6.1.20030506095616.00a77ec0@172.17.160.82> <HBF.20030506kfl@bombur.uio.no>

In message <HBF.20030506kfl@bombur.uio.no> on Tue, 6 May 2003 10:30:07 +0200, Hallvard B Furuseth <h.b.furuseth@usit.uio.no> said:

h.b.furuseth> > An other problem is if I run slapd only with ldaps I'm sure that
h.b.furuseth> > nobody can access to the slapd server without SSL.
h.b.furuseth> > It's not the case if I use the extended operation startTLS.
h.b.furuseth>
h.b.furuseth> True, though I suspect it's the other way around in practice: A library
h.b.furuseth> which implements TLS is likely to implement SSL as well, since they are
h.b.furuseth> so similar. OTOH, if you have have an old LDAP implementation which
h.b.furuseth> does not implement TLS, you could still run it inside SSL if you have
h.b.furuseth> that.

Uhmm, the difference between TLS and SSL is smaller than that.
Basically, one can view TLS 1.0 as SSL 3.1 (3.1 is actually the
version number used by the protocol :-)). TLS is backward compatible
with the SSL v3.0, and to a certain extent with SSL v2.0 (it's
described in RFC2246, appendix E).

You're absolutely right that most TLS libraries also implement SSL
(SSL v3.0 is still the most commonly used version of the protocol).
For example, that goes for OpenSSL, which is used by OpenLDAP to
implement the SSL/TLS layer.

One of the biggest features with TLS is that it's defined by IETF, as
opposed to SSL, which is defined by Netscape.

h.b.furuseth> I imagine the advantages of TLS over SSL is that TLS is better
h.b.furuseth> integrated with LDAP, and that it doesn't take up another port.

I'm not sure that's at all relevant, unless a TLS-only library is
used. Sure, the word "startTLS" is used, but the protocol version
negociated by client and server might just as well be SSL v3.0.

--
Richard Levitte \ Spannvägen 38, II \ LeViMS@stacken.kth.se
Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47
\ SWEDEN \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis -- poei@bofh.se
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.

References:
- Re: Different tcp wrapper configuration for ldap and ldaps, possible?
  - From: "Carl Litt" <carl@execulink.com>
- difference between ldaps and startTLS
  - From: Lise Didillon <ldidillon@prologue-software.fr>
- Re: difference between ldaps and startTLS
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: Re: RH 9 packages
Next by Date: RE: RH 9 packages
Index(es):
- Chronological
- Thread