[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Forcing TLS encryption



Am Fri, 28 Dec 2012 09:14:51 +0100 (CET)
schrieb Wiebe Cazemier <wiebe@halfgaar.net>:

> ----- Original Message -----
> > From: "Dieter KlÃnter" <dieter@dkluenter.de>
> > To: openldap-technical@openldap.org
> > Sent: Thursday, 27 December, 2012 3:53:21 PM
> > Subject: Re: Forcing TLS encryption
> > 
> > Am Mon, 24 Dec 2012 10:14:39 +0100 (CET)
> > schrieb Wiebe Cazemier <wiebe@halfgaar.net>:
> > 
> > 
> > 
> > In order to initiate Transport Layer Security you have to call the
> > extended operation ldapSTARTTLS.
> > 
> > -Dieter
> > 
> > --
> > Dieter KlÃnter | Systemberatung
> > http://dkluenter.de
> > GPG Key ID:DA147B05
> > 53Â37'09,95"N
> > 10Â08'02,42"E
> > 
> > 
> 
> I understand that, but this way, even when you're forcing TLS, users
> can still expose their passwords if their computers are
> mal-configured. SMTP, IMAP, FTP, etc don't allow this, because they
> reject the connection if LOGINNAME is given before STARTTLS.

No. RFC 4513 clearly states:

 ... however, where a client intends to
   perform both a Bind operation and a StartTLS operation, it SHOULD
   first perform the StartTLS operation so that the Bind request and
   response messages are protected by the data security services
   established by the StartTLS operation.
[...]


-Dieter

-- 
Dieter KlÃnter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53Â37'09,95"N
10Â08'02,42"E