Re: LDAPS vs. StartTLS ext. op.

[Howard Chu <hyc@symas.com>]

Michael Ströder wrote:
> Quanah,
>
> Quanah Gibson-Mount wrote:
> > Just note that using SSL over port 636 is not a defined protocol, and
> > may go away in the future.  Avoidance of its use when possible recommended.
>
> - IMO StartTLS ext. op. is flawed because there's no way to mandate the
> use of it before a misbehaving LDAP client has a chance to send
> credentials on the wire.

I agree. But it's too late to fix this in LDAPv3.

> - Also StartTLS ext. op. is rarely supported by LDAP clients.

True, but I don't see that we have any influence over that.

> => If the OpenLDAP developers were really crazy enough to remove support
> for LDAPS from OpenLDAP I'd kick OpenLDAP out of my business
> immediately. Period.

If someone at IANA were to tell us that this number assignment was officially 
withdrawn, then we would drop it. We really wouldn't have much choice, nor 
would any other implementor that wanted to claim that their LDAP product was 
fully IETF-compliant.
--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/