[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Forcing TLS encryption

----- Original Message -----
> From: "Dieter KlÃnter" <dieter@dkluenter.de>
> To: openldap-technical@openldap.org
> Sent: Thursday, 27 December, 2012 3:53:21 PM
> Subject: Re: Forcing TLS encryption
> Am Mon, 24 Dec 2012 10:14:39 +0100 (CET)
> schrieb Wiebe Cazemier <wiebe@halfgaar.net>:
> In order to initiate Transport Layer Security you have to call the
> extended operation ldapSTARTTLS.
> -Dieter
> --
> Dieter KlÃnter | Systemberatung
> http://dkluenter.de
> GPG Key ID:DA147B05
> 53Â37'09,95"N
> 10Â08'02,42"E

I understand that, but this way, even when you're forcing TLS, users can still expose their passwords if their computers are mal-configured. SMTP, IMAP, FTP, etc don't allow this, because they reject the connection if LOGINNAME is given before STARTTLS.

It's kind of a security issue. Is it because in LDAP, username and password are given as one command, and the server doesn't have the chance to abort at that point? If so, then I guess it's unavoidable.