[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Openldap server with TLS not working



On Oct 2, 2013, at 11.47, Michael Ströder <michael@stroeder.com> wrote:

> btb wrote:
>> On 2013.10.02 07.29, Axel Grosse wrote:
>> 
>>> when I test on the server itself ..
>>> openssl s_client -connect 192.168.30.169:389 -showcerts -CAfile
>>> ./ssl/VordelCA.crt
>>> CONNECTED(00000003)
>>> 710:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
>>> failure:s23_lib.c:188:
>> 
>> ldaps [port 636] is deprecated.
>> use starttls with the standard port [389]. 
>> to test, just use ldapsearch [see the reference to -Z in the man page]
> 
> This is nonsense.
> 
> From a security perspective there's no reason not to use LDAPS. Well, I'd even
> recommend LDAPS since SSL/TLS handshake is done *before* a client can send an
> LDAP PDU.
> With my deployments I always enable both but prefer LDAPS.
> 
> I cannot imagine that any LDAP server or client will ever drop support for
> LDAPS since this would immediately rule out this implementation from broader
> market share.

i'm not sure what exactly you mean by "this is nonsense".  ldaps was never offered as a formal specification, and *is* deprecated.  that isn't nonsense.  that's a fact: http://www.openldap.org/faq/data/cache/605.html .  ldaps may well be in continued use even given its deprecation, but no one is debating that, and it's continued use in light of being deprecated does not change that it's deprecated.  we all know it's still heavily used, and probably will continue to be for, at the very least, quite some time.

-ben