[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: ldaps://
I personally prefer a dedicated SSL port for the same reasons. However,
there's no need for stunnel to wrap OpenLDAP, just use ldaps://.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support
> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Derek Simkowiak
> > I've just read the FAQ part about ldap:// and ldaps:// and
> wanted to make
> > sure I understood it correctly.
>
> This is a short opinion about StartTLS vs. pure TLS (like using
> stunnel).
>
> I'm doing a new setup and this question has presented itself for
> both LDAP and SMTP and IMAP -- force standard SSL on a high port, like
> 636, using stunnel, or offer standard services on the
> standard ports, and
> configure the server applications such that "StartTLS" is required.
>
> Here's my argument AGAINST the "StartTLS" method, and
> FOR a forced
> SSL connection on a high port (regardless of IANA revoking
> those high port
> numbers for SSL connections). I'll use SMTP as the
> posterchild example.
> This assumes the server is on a public network (which is usually the
> impetus for messing with SSL in the first place).
>
> There are many Bad Guys who will scan my port 25, looking to see
> what version of software I'm using (for the purpose of
> exploiting known
> bugs/buffer overflows), as well as server misconfiguration
> (i.e., is this
> an open relay that we can spam from).
>
> Every time one of these Bad Guys probes me, then with
> the StartTLS
> option, the server has to accept the connection, wait for the
> (necessary
> by config file) StartTLS command, and then eventually timeout and
> disconnect the Bad Guy when no StartTLS comes. Their initial TCP
> connection is successful before we have any chance to verify
> client certs,
> and furthermore, they know what service I'm offering. Since they can
> determine my O.S. from the way my TCP/IP stack behaves, they
> could narrow
> down the list of potential SMTP servers to the most popular ones (with
> SMTP, that would be sendmail, postfix, or qmail. With LDAP,
> running on
> Linux, you have a very high likelihood of it being OpenLDAP.)
>
> If instead you are running pure SSL on a high port,
> then for one,
> you can set your firewall rules for port 25 to not repond at
> all -- the
> spammers will not even know there's a computer at that I.P.
> address, let
> alone a mail server. This costs my server absolutely nothing
> at all, and
> the Bad Guys have to wait for their TCP/IP stack to timeout before
> deciding that there is no computer there (at least, not on that port).
>
> If they scan ALL my ports, all they will see is an SSL
> listener on
> the high port. They will have no idea what service (or what server
> software!) is running.
>
> And when valid users do connect on the high port, it's pure TLS
> from the get-go, meaning we can verify their client
> certificate before any
> connection at all is even established to the SMTP/LDAP/IMAP server.
>
> So for those reasons, I think just having SSL on a high port is
> preferable. Your users need to configure the server name in
> their clients
> anyhow, so it is practically no extra work to tell them to
> set the port to
> 636 (or whatever).
>
> I'd be very interested to hear what others have to say
> about this.
> For me, this means I'm using stunnel to wrap OpenLDAP,
> instead of using
> OpenLDAP's native TLS support. If I choose a port number above 1024,
> stunnel doesn't even need to be suid root.
>
>
> Thanks,
> Derek Simkowiak
>
>
>