btb wrote: > On 2013.10.02 07.29, Axel Grosse wrote: > >> when I test on the server itself .. >> openssl s_client -connect 192.168.30.169:389 -showcerts -CAfile >> ./ssl/VordelCA.crt >> CONNECTED(00000003) >> 710:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake >> failure:s23_lib.c:188: > > ldaps [port 636] is deprecated. > use starttls with the standard port [389]. > to test, just use ldapsearch [see the reference to -Z in the man page] This is nonsense. From a security perspective there's no reason not to use LDAPS. Well, I'd even recommend LDAPS since SSL/TLS handshake is done *before* a client can send an LDAP PDU. With my deployments I always enable both but prefer LDAPS. I cannot imagine that any LDAP server or client will ever drop support for LDAPS since this would immediately rule out this implementation from broader market share. Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature