[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL/TLS Inquiry

To: Steve Finkelstein <sf@stevefink.net>
Subject: Re: SSL/TLS Inquiry
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Mon, 19 Feb 2007 10:50:38 +0100
Cc: openldap-software@openldap.org
In-reply-to: <45D9277A.500@stevefink.net>
References: <45D9277A.500@stevefink.net>

Steve Finkelstein writes:
> [root@bar cacerts]# ldapsearch -x -h "ldap.domain.com" -p 636 -v

You are trying to use the LDAP protocol against the LDAPS port, which
expects the TLS protocol.  That does not work.

The clients do not deduce the protocol from the port number.  They
deduce the _default_ port number (which you can override) from the
protocol.

There are two ways to use TLS:

1. ldapsearch -x -ZZ -h "ldap.domain.com" ...

This uses the LDAP protocol (on port 389), and -ZZ tells the client to
use the StartTLS LDAP.  This switches to the TLS protocol and then
resumes LDAP "inside" that protocol.

2. ldapsearch -x -H "ldaps://ldap.domain.com/" ...

This uses the LDAPS protocol (on port 636).  This port listens for TLS
as if StartTLS had already been done.

BTW, don't combine -ZZ and ldaps://.  You can't start TLS when TLS is
already started.

-- 
Regards,
Hallvard

Follow-Ups:
- Re: SSL/TLS Inquiry
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

References:
- SSL/TLS Inquiry
  - From: Steve Finkelstein <sf@stevefink.net>

Prev by Date: Re: OpenLDAP 2.4
Next by Date: Re: SSL/TLS Inquiry
Index(es):
- Chronological
- Thread