[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap_sasl_interactive_bind_s: Local error ???



Ok I think that's more or less what I said in that
SSL and TLS both use SSL encryption and the distiguishing
feature is StartTLS which can work on a standard port
by requesting to switch to encryption if the listener
on that port understands how to negotiate a StartTLS
command.

Thanks

Bill


Tony Earnshaw wrote:
ons, 2002-11-20 kl. 13:43 skrev Bill Dossett:


2: *Raw* Openldap SSL/TLS (TLS is different from SSL) does not use SASL,
which seems to be throwing you out (although SSL is refererred to as
SASL EXTERNAL). Not that SSL is not a valid SASL extra, it's just that
Openssl SASL is not necessary for Openldap SSL/TLS.


I'm a little confused by the statement "TLS is different from SSL".
From my understanding, StartTLS, is different, but TLS and SSL
are two names for the same thing...  I could certainly be wrong,
and I guess this is for the OpenSSL list, but seeing as almost
everyone seems to be using some form of SSL, I think it is sort
of pertinent to this list as well.


Both use SSL encryption, with the same certificate exchange protocol.

However, Openldap SSL (and Exim, Sendmail, pop3d etc. etc) can use SSL
for encryption without premise. They would do so for something like smtp
AUTH PLAIN/etc or ldaps auth. In this case, whatever the ports used,
encryption is used for all communication from the word "go." ldaps uses
port 636, pop3s 995, https 443 etc (look inside /etc/services).

TLS can use existing service ports, such as ldap on 389 and smtp on port
25. In this case, the client has to give a "starttls" command to enable
encryption, but the same encryption protocol and certs can be used for
both.

Hope this helps,

Tony