[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: StartTLS downgrading
At 04:30 PM 2/23/2003, Howard Chu wrote:
>> -----Original Message-----
>> From: owner-openldap-software@OpenLDAP.org
>> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Timothy H Folks
>
>> I found the following note in the LDAP tips section of Sun's JNDI
>> tutorial:
>>
>> Note 2: The OpenLDAP server, upon receiving the tls.close(),
>> will shut
>> down the connection instead of downgrading it to a plain connection.
>>
>> Is this still true?
>
>Yes.
>The RFC never mandated a particular behavior for this operation.
For clarity here, RFC 2830, 4.1 described graceful TLS closure
however states that it continuing to process LDAP messages
post closure is a MAY (e.g., optional).
>OpenLDAP just does whatever OpenSSL does. OpenSSL's "close" function tears
>down the SSL session and closes the socket.
OpenSSL issues aside, OpenLDAP purposefully refuses to continue
to process LDAP messages after TLS closure for security reasons.
Kurt