[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS or plain?

To: Stephen Frost <sfrost@snowman.net>
Subject: Re: TLS or plain?
From: Michael Ströder <michael@stroeder.com>
Date: Mon, 21 Jul 2003 19:21:10 +0200
Cc: openldap-software@OpenLDAP.org
In-reply-to: <20030721163043.GZ20969@ns.snowman.net>
References: <8402FBB2B23BA748B4477DEFD383C8B327C7E4@cnfqe058.cnf.prod.cnf.com> <20030721163043.GZ20969@ns.snowman.net>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030626

Stephen Frost wrote:

* Bennett, Tony - CNF (Bennett.Tony@cnf.com) wrote:

It is my understanding that when a client connects
to a server using ldaps://.... instead of ldap://...
then a TLS session is first negotiated with the server,
then the client uses whatever "method" is specified...


This isn't really accurate.  ldaps is for SSL sessions.  TLS is used on
the regular ldap:// port and is a way to 'upgrade' a connection to
encrypted.


*Your* explanation isn't really accurate.

You probably are talking about LDAP on top of SSL/TLS layer (out-of-band encryption tunnel usually on separate port) vs. using StartTLS extended operation in an existing LDAPv3 connection (negotiating encryption tunnel in-band).

TLSv1 is the sucessor of SSLv3 standardized by the IETF (SSL was a proprietary protocol developed by Netscape) and it has nothing to do with LDAP in the first place. If you use ldaps:// depending on the client and server configuration you can either use SSL or TLS.

Ciao, Michael.

Follow-Ups:
- Re: TLS or plain?
  - From: Stephen Frost <sfrost@snowman.net>

References:
- RE: TLS or plain?
  - From: "Bennett, Tony - CNF" <Bennett.Tony@cnf.com>
- Re: TLS or plain?
  - From: Stephen Frost <sfrost@snowman.net>

Prev by Date: Re: Email Distribution Lists???
Next by Date: Re: Email Distribution Lists???
Index(es):
- Chronological
- Thread