[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Forcing TLS encryption

To: Philip Guenther <guenther+ldaptech@sendmail.com>
Subject: Re: Forcing TLS encryption
From: Wiebe Cazemier <wiebe@halfgaar.net>
Date: Fri, 28 Dec 2012 21:56:24 +0100 (CET)
Cc: Dieter KlÃnter <dieter@dkluenter.de>, openldap-technical@openldap.org
In-reply-to: <alpine.BSO.2.00.1212281229001.27566@morgaine.smi.sendmail.com>
References: <985577790.9606.1356102006319.JavaMail.root@halfgaar.net> <634F18FA-7BB5-4D83-9C02-EE46CFE6298C@oracle.com> <288778360.11025.1356340479288.JavaMail.root@halfgaar.net> <20121227155321.045a9e29@violet.avci.de> <1438144113.14442.1356682491834.JavaMail.root@halfgaar.net> <alpine.BSO.2.00.1212281229001.27566@morgaine.smi.sendmail.com>
Thread-index: yReFDelLoFP2MZThcPrq3FMKQ8U5+g==
Thread-topic: Forcing TLS encryption

----- Original Message -----
> From: "Philip Guenther" <guenther+ldaptech@sendmail.com>
> To: "Wiebe Cazemier" <wiebe@halfgaar.net>
> Cc: "Dieter KlÃnter" <dieter@dkluenter.de>, openldap-technical@openldap.org
> Sent: Friday, 28 December, 2012 9:36:50 PM
> Subject: Re: Forcing TLS encryption
> 
> On Fri, 28 Dec 2012, Wiebe Cazemier wrote:
> > I understand that, but this way, even when you're forcing TLS,
> > users can
> > still expose their passwords if their computers are mal-configured.
> > SMTP, IMAP, FTP, etc don't allow this, because they reject the
> > connection if LOGINNAME is given before STARTTLS.
> 
> That is not true of SMTP's AUTH PLAIN, IMAP's AUTHENTICATE PLAIN, or
> IMAP's LOGIN.  The PLAIN SASL mechanism and IMAP's LOGIN command both
> send
> the username and password without waiting for a response from the
> server**.
> 
> 
> > It's kind of a security issue. Is it because in LDAP, username and
> > password are given as one command, and the server doesn't have the
> > chance to abort at that point? If so, then I guess it's
> > unavoidable.
> 
> Correct.
> 
> 
> Philip Guenther
> 
> ** Well, to be completely accurate, IMAP AUTHENTICATE requires a
> server
> response if the server doesn't support the SASL-IR capability
> 
> 

Then why is the LDAPS port deprecated? If the connection is SSL from the start, you don't have this issue.

Follow-Ups:
- Re: Forcing TLS encryption
  - From: Kurt Zeilenga <Kurt@OpenLDAP.org>

References:
- Forcing TLS encryption
  - From: Wiebe Cazemier <wiebe@halfgaar.net>
- Re: Forcing TLS encryption
  - From: Chuck Lever <chuck.lever@oracle.com>
- Re: Forcing TLS encryption
  - From: Wiebe Cazemier <wiebe@halfgaar.net>
- Re: Forcing TLS encryption
  - From: Dieter KlÃnter <dieter@dkluenter.de>
- Re: Forcing TLS encryption
  - From: Wiebe Cazemier <wiebe@halfgaar.net>
- Re: Forcing TLS encryption
  - From: Philip Guenther <guenther+ldaptech@sendmail.com>

Prev by Date: Re: Forcing TLS encryption
Next by Date: Re: Forcing TLS encryption
Index(es):
- Chronological
- Thread