[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: failover config: servers with same DNS address and TLS, subjectAltName extension

To: openldap-software@openldap.org
Subject: Re: failover config: servers with same DNS address and TLS, subjectAltName extension
From: Russ Allbery <rra@stanford.edu>
Date: Mon, 23 Jul 2007 16:35:55 -0700
In-reply-to: <1i1q4bm.n8kr0i5rxhhwM%manu@netbsd.org> (Emmanuel Dreyfus's message of "Mon, 23 Jul 2007 22:09:33 +0200")
Organization: The Eyrie
References: <1i1q4bm.n8kr0i5rxhhwM%manu@netbsd.org>
User-agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux)

manu@netbsd.org (Emmanuel Dreyfus) writes:
> Quanah Gibson-Mount <quanah@zimbra.com> wrote:

>> Just note that using SSL over port 636 is not a defined protocol, and may
>> go away in the future.  Avoidance of its use when possible recommended.

> I have this in /etc/services:
> ldaps           636/tcp    ldap protocol over TLS/SSL (was sldap)

> And checking the authoritative source confirms it's registered.  
> http://www.iana.org/assignments/port-numbers
>  
> So what's wrong with LDAP/SSL over port 636?

There is a general trend for all IETF protocols away from using TLS on a
separate port and towards using the standard port and STARTTLS.
Allocating a second port for every major protocol, one with TLS and one
without, was becoming wasteful of additional ports and there's no need for
it given STARTTLS.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>

References:
- Re: failover config: servers with same DNS address and TLS, subjectAltName extension
  - From: manu@netbsd.org (Emmanuel Dreyfus)

Prev by Date: Re: failover config: servers with same DNS address and TLS, subjectAltName extension
Next by Date: Re: failover config: servers with same DNS address and TLS, subjectAltName extension
Index(es):
- Chronological
- Thread