[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS/SSL future direction



And, just to make it clear.
        StartTLS is the Standard Track mechanism (RFC 2830)
        for enabling TLS (RFC 2246) for LDAPv3 (RFC 2251).
        StartTLS is considered an integral part of the
        LDAPv3 "core" technical specification.

        ldaps:// is experimental, basically LDAPv2 over SSL.
        In fact, there is no formal specification for what it
        does, let alone how it does it.

LDAPv2 and ldaps:// are considered deprecated in favor of
LDAPv3 and StartTLS.

Kurt

At 10:08 AM 2002-01-03, Julio Sánchez Fernández wrote:
>Drew Raines <drew@phg.mc.vanderbilt.edu> writes:
>
>> TLS and SSL are always mentioned together even though they're seemingly
>> quite different implementations.  What gives?
>
>TLS and SSL are essentially the same, think of TLS as SSL v3++ with a
>funny name.
>
>Now, what is misleading many people is mistaking StartTLS for TLS.
>There are two mechanisms for doing SSL/TLS:
>
>      - Starting SSL/TLS on a TCP connection and *after* it has been
>        setup, start talking some application protocol, LDAP in this
>        case.  This will be done usually on a different port from
>        that used for the normal protocol.  When only a few protocols
>        wanted this it was workable but soon it got out of hand and
>        opened the door to the next round of spurious port number
>        allocations as soon as someone came with a new invention.
>
>      - Starting an application protocol connection and then, if
>        capability negotiation permits it, start a SSL/TLS negotiation
>        and then start talking over the newly setup layer thus created
>        *on the same connection*. Each protocol does it differently.
>        It is STLS for POP3, STARTTLS for SMTP, etc.  And it is the
>        extended operation StartTLS for LDAP.  This is the preferred
>        mechanism for all new protocols and most protocols are
>        migrating to this.
>
>In principle, you can use both SSL and TLS on either scenario. But
>many people think SSL is the first method and TLS the second.
>
>It is not so.
>
>Julio