[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS or plain?

Stephen Frost wrote:
* Bennett, Tony - CNF (Bennett.Tony@cnf.com) wrote:

It is my understanding that when a client connects
to a server using ldaps://.... instead of ldap://...
then a TLS session is first negotiated with the server,
then the client uses whatever "method" is specified...

This isn't really accurate. ldaps is for SSL sessions. TLS is used on the regular ldap:// port and is a way to 'upgrade' a connection to encrypted.

*Your* explanation isn't really accurate.

You probably are talking about LDAP on top of SSL/TLS layer (out-of-band encryption tunnel usually on separate port) vs. using StartTLS extended operation in an existing LDAPv3 connection (negotiating encryption tunnel in-band).

TLSv1 is the sucessor of SSLv3 standardized by the IETF (SSL was a proprietary protocol developed by Netscape) and it has nothing to do with LDAP in the first place. If you use ldaps:// depending on the client and server configuration you can either use SSL or TLS.

Ciao, Michael.