[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS or plain?

* Michael Str?der (michael@stroeder.com) wrote:
> Stephen Frost wrote:
> >* Bennett, Tony - CNF (Bennett.Tony@cnf.com) wrote:
> >
> >>It is my understanding that when a client connects
> >>to a server using ldaps://.... instead of ldap://...
> >>then a TLS session is first negotiated with the server,
> >>then the client uses whatever "method" is specified...
> >
> >This isn't really accurate.  ldaps is for SSL sessions.  TLS is used on
> >the regular ldap:// port and is a way to 'upgrade' a connection to
> >encrypted.
> *Your* explanation isn't really accurate.

Sure it is, it just isn't as verbose.

> You probably are talking about LDAP on top of SSL/TLS layer (out-of-band 
> encryption tunnel usually on separate port) vs. using StartTLS extended 
> operation in an existing LDAPv3 connection (negotiating encryption tunnel 
> in-band).

That would be ldaps:// vs. ldap:// with TLS, as I said above, yes.

> TLSv1 is the sucessor of SSLv3 standardized by the IETF (SSL was a 
> proprietary protocol developed by Netscape) and it has nothing to do with 
> LDAP in the first place. If you use ldaps:// depending on the client and 
> server configuration you can either use SSL or TLS.

My experience with using ldaps:// has been that it's expecting an SSL
connection as opposted to a regular connection which then moves to TLS.
Certainly depending on the client and server configuration you can use
either SSL or TLS on port 1234, if you'd prefer.


Attachment: pgpteSydlSQh4.pgp
Description: PGP signature