Re: how to ssl only, not tls?

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

Well, as TLS and SSL refer to the same data security
technology, your question seems a bit confused.  If
you mean TLSv1 vs, say, SSLv2 (or some other pair of
TLS/SSL versions), you can enable/disable versions of
TLS/SSL via TLS cipher suite options.  See OpenSSL
documentation for cipher suite options.

If, however, what you mean is to only allow initiate use
of TLS via use of a separate port, e.g., ldaps://, instead
of by the LDAP Start TLS operation, I don't recall
an option to disable Start TLS operation while allowing
use of ldaps://.  Generally, it is best to provide the
standard track mechanism for initiating TLS/SSL (if one is
going to allow TLS/SSL to be initiated).

The error message below happens regardless of which
mechanism is used to initiate TLS/SSL.  Have you gotten
OpenSSL's sample client/server programs working with your
certificates?  If not, you should start there.

At 09:36 AM 5/31/2005, kk_q wrote:
>some ldap clients are not support tls,and support ssl.
>then I edit slapd.conf,change all "TLS" lines to #TLS,like:
>
>#TLSCACertificateFile server.pem
>#TLSCertificateFile server.pem
>#TLSCertificateKeyFile server.pem 
>
>and run slapd -d 256 -h "ldaps://0.0.0.0/" -f /path/to/slapd.conf.
>run the dis-tls client.
>slapd reports error:
>
>conn=11 fd=10 accept from ip=127.0.0.1:57203(ip=0.0.0.0:636)
>TLS:can't accept.
>TLS:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca s3_pkt.c:1052
>conn=11 fd=10 closed
>
>the client can't connect to ldap server.
>now,I want to know how to server side ssl only, not tls?