[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: failover config: servers with same DNS address and TLS, subjectAltName extension

manu@netbsd.org (Emmanuel Dreyfus) writes:
> Quanah Gibson-Mount <quanah@zimbra.com> wrote:

>> Just note that using SSL over port 636 is not a defined protocol, and may
>> go away in the future.  Avoidance of its use when possible recommended.

> I have this in /etc/services:
> ldaps           636/tcp    ldap protocol over TLS/SSL (was sldap)

> And checking the authoritative source confirms it's registered.  
> http://www.iana.org/assignments/port-numbers
> So what's wrong with LDAP/SSL over port 636?

There is a general trend for all IETF protocols away from using TLS on a
separate port and towards using the standard port and STARTTLS.
Allocating a second port for every major protocol, one with TLS and one
without, was becoming wasteful of additional ports and there's no need for
it given STARTTLS.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>