Re: TLS + SSL and openldap

["Dieter Kluenter" <dieter@dkluenter.de>]

Michael Ströder <michael@stroeder.com> writes:

> Dieter Kluenter wrote:
>> Bruno Steven <aspenbr@gmail.com> writes:
>>> I am trying configure openldap work with tls , but I have two question about this, first
>>> when I use tls openldap use port 389 and ssl port 639 , is this correct ? 
>>> Second How I can test connection between client and server, cryptography is working ? 
>> 
>> There is no ssl port! SSL (Secure Socket Layer) is a proprietary,
>> licence based protocol, owned by Netscape? I don't know whether the
>> IPR of this protocol have been part of the Netscape/AOL deal. OpenLDAP,
>> and most other network based applications, have implemented Transport
>> Layer Security (TLS), RFC 2246. As a LPI certified professional you
>> should be aware of this.
>
> Sorry Dieter, don't mess up things. Your comment is at least strongly
> misleading: E.g. OpenSSL (also libnss) certainly implements SSLv3 (and even
> insecure SSLv2) and you can use that to connect to 3rd party LDAP servers with
> the OpenLDAP client libs or connect to OpenLDAP servers.

Right you are, a client defines the protocol required in the client hello,
which can either be SSLv3 oder TLSv1 (SSLv2 is deprecated), AFAIK OpenLDAP
reports TLSv1 in the server hello. In the last few years I haven't
seen any client or server that submits SSLv3 in the hello.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:8EF7B6C6
53°37'09,95"N
10°08'02,42"E