[Date Prev][Date Next] [Chronological] [Thread] [Top]

LDAPS vs. StartTLS ext. op. (was: Re: failover config: servers with....)

To: Quanah Gibson-Mount <quanah@zimbra.com>
Subject: LDAPS vs. StartTLS ext. op. (was: Re: failover config: servers with....)
From: Michael Ströder <michael@stroeder.com>
Date: Wed, 25 Jul 2007 18:53:46 +0200
Cc: openldap-software@openldap.org
In-reply-to: <4C80A2DB7D4B6733ED0C82F5@deus-ex.zimbra.com>
References: <20070723135119.GC13339@NetBSD.org> <4C80A2DB7D4B6733ED0C82F5@deus-ex.zimbra.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.5) Gecko/20070716 SeaMonkey/1.1.3

Quanah,

Quanah Gibson-Mount wrote:
> 
> Just note that using SSL over port 636 is not a defined protocol, and
> may go away in the future.  Avoidance of its use when possible recommended.

- IMO StartTLS ext. op. is flawed because there's no way to mandate the
use of it before a misbehaving LDAP client has a chance to send
credentials on the wire.
- Also StartTLS ext. op. is rarely supported by LDAP clients.

=> If the OpenLDAP developers were really crazy enough to remove support
for LDAPS from OpenLDAP I'd kick OpenLDAP out of my business
immediately. Period.

Ciao, Michael.

Follow-Ups:
- Re: LDAPS vs. StartTLS ext. op.
  - From: Howard Chu <hyc@symas.com>

References:
- failover config: servers with same DNS address and TLS, subjectAltName extension
  - From: Emmanuel Dreyfus <manu@netbsd.org>
- Re: failover config: servers with same DNS address and TLS, subjectAltName extension
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

Prev by Date: Re: Configuring TLS
Next by Date: Re: LDAPS vs. StartTLS ext. op.
Index(es):
- Chronological
- Thread