[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: debugging tls (apache2 mod_ldap)



At 04:57 AM 7/13/2004, Dick Davies wrote:
>* Dick Davies <rasputnik@hellooperator.net> [0721 15:21]:
>> * Kurt D. Zeilenga <Kurt@OpenLDAP.org> [0709 22:09]:
>
>Sorry to reply to my own post, but I've just been reading
>
>http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html#7.0

This (independently authored) article uses the terms TLS and
SSL in a confusing manner.  I've been meaning to ask Kent
to revise it.

>                                                                                                                    
>>SSL and TLS are two names for the same thing (see archives).
>>OpenLDAP Software (including libraries) will error if you
>>attempt to do so.



>                                                                                                                            
>>>Do I have an option to just do SSL without TLS,
>                                                                                                                            
>>Since SSL is TLS (and TLS is SSL), no.
>
>The url I mentioned seems to back up my earlier assumption that you could 
>do SSL without TLS, and vice versa.
>
>What I think is happening is mod_auth_ldap
>is trying to do both - presumably that works fine with many configurations, but
>no mine. I need to have an SSL tunnel and not worry about TLS.

SSL and TLS are same thing.


>To illustrate:
>
>
>[user@server httpd-2.0.49]$ /opt/bin/ldapsearch -x -H 'ldaps://ldaphost.domain/o=org' uid=user

This (ldaps://) initiates TLS upon establishment of the TCP
stream (on port 636).

>[user@server httpd-2.0.49]$ /opt/bin/ldapsearch -ZZ -x -H 'ldaps://ldaphost.domain/o=org' uid=user

This asks that TLS be established upon establish of the TCP
stream (on port 636) and subsequently request TLS be established
(again) via use of the LDAP Start TLS operation.

>ldap_start_tls: Operations error (1)
>        additional info: TLS is is already established
>[user@server httpd-2.0.49]$

This indicates that the LDAP Start TLS operation (induced
by -ZZ) failed because TLS was already established (due to
use of ldaps://).

>Does that make any sense?
>Maybe we're getting startTLS and TLS confused here?

Maybe.  TLS (SSL) is a security layer.  StartTLS is a mechanism
for starting TLS.  ldaps:// is another mechanism for starting
TLS.