[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: TSL / SSL

To: <openldap-software@OpenLDAP.org>
Subject: RE: TSL / SSL
From: "Mark H. Wood" <mwood@IUPUI.Edu>
Date: Mon, 17 Jun 2002 08:47:07 -0500 (EST)
In-reply-to: <ED2FC8A5283B9B4EA02D763CDCB866B40C7307@ushqmailw01.togethersoft.net>

On Sun, 16 Jun 2002, Jason Corley wrote:
> I'm a little confused by the word "deprecated" here in reference to
> ldaps.

It means that IETF recommends against using the ldaps: mechanism for
establishing an encrypted LDAP connection.

ldaps: uses a different TCP port than ldap:, and simply assumes that the
entire session will be encapsulated in TLS.  START TLS is a request to
negotiate TLS encapsulation on an established session, and can be used on
the original LDAP port.

In either case you get and encrypted session (assuming a successful TLS
handshake).  ldaps: uses up an additional port number, and IETF is
concerned about running out of ports if every protocol needs two of them
to accommodate the addition of encryption.  So according to IETF, the best
way to allow both "plain" and "fancy" (e.g. encrypted) usage of a protocol
is to extend the protocol to allow requests for engaging the "fancy"
modes.  (FWIW I agree with this.)

Secure communication is not deprecated.  Using two ports where one would
do is deprecated.

-- 
Mark H. Wood, Lead System Programmer   mwood@IUPUI.Edu
It isn't wrong, but we *just don't do it*. -- Gordon, the big engine

References:
- RE: TSL / SSL
  - From: "Jason Corley" <Jason.Corley@togethersoft.com>

Prev by Date: installation problem..of OpenLDAP
Next by Date: RE: TSL / SSL
Index(es):
- Chronological
- Thread