[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: TSL / SSL

To: "Jason Corley" <Jason.Corley@togethersoft.com>, "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>, <openldap-software@OpenLDAP.org>
Subject: RE: TSL / SSL
From: "Howard Chu" <hyc@highlandsun.com>
Date: Sun, 16 Jun 2002 15:03:06 -0700
Importance: Normal
In-reply-to: <ED2FC8A5283B9B4EA02D763CDCB866B40C7307@ushqmailw01.togethersoft.net>

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Jason Corley

> I'm a little confused by the word "deprecated" here in reference
> to ldaps.  I thought ldaps was ssl encrypted openldap traffic?  I
> guess I'm not understanding what the proper way to configure
> openldap and/or initiate encrypted traffic is based on this
> statement.  Pointers to documentation more than welcome.

The practice of using ldaps, i.e. LDAP on SSL, arose with LDAPv2. It was
never formally documented as a standard. A listener port that is configured
for ldaps can only accept SSL connections, not cleartext connections.

The LDAPv3 standard defined a new LDAP request called StartTLS that can
be sent after a connection is established. So a single cleartext listener
port can be used to handle both cleartext sessions and TLS-encrypted
sessions. This approach is more flexible, as it doesn't require a
dedicated listener port for encrypted sessions.

Once the encrypted session has been established, there's no difference
between
the two methods.

> -----Original Message-----
> From:	Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
> Sent:	Sat 6/15/2002 9:33 PM
> To:	Benoit LEROYER
> Cc:	Informations; openldap-software@OpenLDAP.org
> Subject:	Re: TSL / SSL
> At 10:07 AM 2002-06-14, Benoit LEROYER wrote:
> >What is the difference between starttls et ldaps ?
>
> Start TLS (RFC 2830) is the standard track mechanism,
> an LDAP operation, used in to establish TLS.
>
> ldaps:// is a deprecated, non-standard track mechanism
> for establishing TLS based upon mutually agreed upon
> TCP service ports.
>
> OpenLDAP supports both mechanisms.
>
> Kurt
>
>
>
>
> >Kurt D. Zeilenga wrote:
> >
> >>At 09:46 AM 2002-06-14, Informations wrote:
> >>
> >>>if i use only ldaps protocol (openldap compiled with openssl)
> with crypt Userpassword,  is-it secure ?
> >>>if not what is the better solution ?
> >>Better, as in stronger?  The strongest authentication
> >>mechanism supported by OpenLDAP is StartTLS+SASL/EXTERNAL.
> >>
> >
> >
> >--
> >------------------------------------------
> >Benoit LEROYER - G.I.D.E (benoit@gide.net)
> >Tél : 02.40.89.92.87
> >Web : http://www.gide.net
> >------------------------------------------
>
>
>

References:
- RE: TSL / SSL
  - From: "Jason Corley" <Jason.Corley@togethersoft.com>

Prev by Date: Active Directory
Next by Date: Re: OpenLDAP 2.1 Released
Index(es):
- Chronological
- Thread