[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: StartTLS downgrading

To: "Howard Chu" <hyc@highlandsun.com>
Subject: RE: StartTLS downgrading
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Sun, 23 Feb 2003 17:11:20 -0800
Cc: "'Timothy H Folks'" <Timothy.Folks@edgescape.com>, <openldap-software@OpenLDAP.org>
In-reply-to: <001901c2db9c$c6eb84a0$0e01a8c0@CELLO>
References: <OF6918E440.39E2ECA6-ON86256CD6.0082C1A7-86256CD6.0082E331@edgescape.com>

At 04:30 PM 2/23/2003, Howard Chu wrote:
>> -----Original Message-----
>> From: owner-openldap-software@OpenLDAP.org
>> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Timothy H Folks
>
>> I found the following note in the LDAP tips section of Sun's JNDI
>> tutorial:
>>
>> Note 2: The OpenLDAP server, upon receiving the tls.close(),
>> will shut
>> down the connection instead of downgrading it to a plain connection.
>>
>> Is this still true?
>
>Yes.

>The RFC never mandated a particular behavior for this operation.

For clarity here, RFC 2830, 4.1 described graceful TLS closure
however states that it continuing to process LDAP messages
post closure is a MAY (e.g., optional).

>OpenLDAP just does whatever OpenSSL does. OpenSSL's "close" function tears
>down the SSL session and closes the socket.

OpenSSL issues aside, OpenLDAP purposefully refuses to continue
to process LDAP messages after TLS closure for security reasons.

Kurt

References:
- StartTLS downgrading
  - From: Timothy H Folks <Timothy.Folks@edgescape.com>
- RE: StartTLS downgrading
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: RE: StartTLS downgrading
Next by Date: Re: [LDAP-SOFTWARE] ACLand regex (matching self)
Index(es):
- Chronological
- Thread