[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL3 alert write:fatal:unknown CA






Quanah Gibson-Mount wrote:
>> Hi Kent,
>> I looked in your excellent Document OpenLDAP_TLS_howto, also because
>> Quanah  Gibson-Mount mentioned it.
>>
>> In Chapter 7 Using TLS you give the following example:
>>
>> ldapsearch -x -b 'dc=myserver,dc=com' -D "cn=Manager,dc=myserver,dc=com"
>> '(objectclass=*)' -H ldaps://myserver.com -W -ZZ
>>
>> I thought TLS was working on port 389 and only SSL was using ldaps://
>> If that's true the command would be:
>
>Pierre, SSL and TLS are essentially the same thing.  OpenLDAP does SSL+TLS

>on port 389.  By specifying ldaps://, you request that it make an
encrypted
>call to the OpenLDAP server, via SSL/TLS encryption.
>
>--Quanah

On step further ... TLSv1 is basically SSLv3.
SSL-enabled OpenLDAP servers use port 636 by default, but can use other
ports if the server is started on those drives.
TLS can be enabled on any OpenLDAP server port besides SSL ports.  389 is
the default LDAP server port.

example:
% slapd -h "ldap:///  ldap://:12345  ldaps:///  ldaps://:999"

gives 2 SSL-enabled ports (636 & 999) and 2 'potential' TLS-enabled ports
(389 & 12345) if OpenLDAP clients start TLS.

Cheers,
Kent Soper

"You don't stop playing because you grow old ...
       you grow old because you stop playing."

Linux Technology Center, Linux Security
phone:  1-512-838-9216
e-mail:  dksoper@us.ibm.com