[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL3 alert write:fatal:unknown CA

To: Quanah Gibson-Mount <quanah@stanford.edu>
Subject: Re: SSL3 alert write:fatal:unknown CA
From: Kent Soper <dksoper@us.ibm.com>
Date: Thu, 26 Jun 2003 17:05:51 -0500
Cc: OpenLDAP <openldap-software@OpenLDAP.org>, owner-openldap-software@OpenLDAP.org, Pierre Burri <pierre@globeall.de>




Quanah Gibson-Mount wrote:
>> Hi Kent,
>> I looked in your excellent Document OpenLDAP_TLS_howto, also because
>> Quanah  Gibson-Mount mentioned it.
>>
>> In Chapter 7 Using TLS you give the following example:
>>
>> ldapsearch -x -b 'dc=myserver,dc=com' -D "cn=Manager,dc=myserver,dc=com"
>> '(objectclass=*)' -H ldaps://myserver.com -W -ZZ
>>
>> I thought TLS was working on port 389 and only SSL was using ldaps://
>> If that's true the command would be:
>
>Pierre, SSL and TLS are essentially the same thing.  OpenLDAP does SSL+TLS

>on port 389.  By specifying ldaps://, you request that it make an
encrypted
>call to the OpenLDAP server, via SSL/TLS encryption.
>
>--Quanah

On step further ... TLSv1 is basically SSLv3.
SSL-enabled OpenLDAP servers use port 636 by default, but can use other
ports if the server is started on those drives.
TLS can be enabled on any OpenLDAP server port besides SSL ports.  389 is
the default LDAP server port.

example:
% slapd -h "ldap:///  ldap://:12345  ldaps:///  ldaps://:999"

gives 2 SSL-enabled ports (636 & 999) and 2 'potential' TLS-enabled ports
(389 & 12345) if OpenLDAP clients start TLS.

Cheers,
Kent Soper

"You don't stop playing because you grow old ...
       you grow old because you stop playing."

Linux Technology Center, Linux Security
phone:  1-512-838-9216
e-mail:  dksoper@us.ibm.com

Follow-Ups:
- Re: SSL3 alert write:fatal:unknown CA
  - From: Pierre Burri <pierre@globeall.de>

Prev by Date: Re: SSL3 alert write:fatal:unknown CA
Next by Date: Re: SSL3 alert write:fatal:unknown CA
Index(es):
- Chronological
- Thread