https://bugs.openldap.org/show_bug.cgi?id=9938
Issue ID: 9938 Summary: Deprecate STARTTLS, recommend LDAPS Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: documentation Assignee: bugs@openldap.org Reporter: martin.von.wittich@iserv.eu Target Milestone: ---
This has been discussed on the mailing list before, but unfortunately it seems to have gotten lost in the shuffle: https://www.openldap.org/lists/openldap-technical/201802/msg00004.html
To me this rationale for SMTP submission with implicit TLS seems also applicable to LDAPS vs. StartTLS:
https://tools.ietf.org/html/rfc8314#appendix-A
So LDAPS should not be considered deprecated. Rather it should be recommended and the _optional_ use of StartTLS should be strongly discouraged.
Currently, https://www.openldap.org/faq/data/cache/605.html (Start TLS v. ldaps://) still recommends STARTTLS over LDAPS. This unfortunately leads LDAP client implementers to create clients that only support STARTTLS, e.g. here: https://github.com/odoo/odoo/issues/9772#issuecomment-159943316
https://bugs.openldap.org/show_bug.cgi?id=9938
--- Comment #1 from Quanah Gibson-Mount quanah@openldap.org --- The FAQ is historic, 99% of what's in it is incorrect.
https://bugs.openldap.org/show_bug.cgi?id=9938
--- Comment #2 from martin.von.wittich@iserv.eu --- (In reply to Quanah Gibson-Mount from comment #1)
The FAQ is historic, 99% of what's in it is incorrect.
Hmm, would it be possible to add a warning to all FAQ articles, or even to get rid of it completely? The FAQ unfortunately features rather prominently in Google search results, e.g. if I search for "openldap starttls", https://www.openldap.org/faq/data/cache/185.html is the second result. Apart from the rather outdated design and the "Copyright 1998-2013" line at the very bottom, it's not at all obvious to visitors that the information is outdated.
A quick search for "site:github.com inurl:issues "openldap.org/faq"" shows that e.g. the STARTTLS FAQ article seems to be quoted often:
https://github.com/osixia/docker-openldap/issues/160 https://github.com/osixia/docker-openldap/issues/11 https://github.com/it-novum/openITCOCKPIT/issues/985 https://github.com/processone/ejabberd/issues/794 https://github.com/wekan/ldap/issues/70 https://github.com/shaj13/go-guardian/issues/116 https://github.com/gravitee-io/issues/issues/3782 https://github.com/dexidp/dex/issues/907 https://github.com/portainer/portainer/issues/1119
https://bugs.openldap.org/show_bug.cgi?id=9938
--- Comment #3 from Howard Chu hyc@openldap.org --- Until someone writes an RFC for this, we should not deprecate anything.
Some of the points raised in https://www.rfc-editor.org/rfc/rfc2595#section-7 are certainly no longer relevant. E.g., nobody uses 40 bit "export" ciphers any more. Coming from the opposite side, SASL has recently been neutered and new mechanisms don't include a security layer, instead relying on TLS to do that job. (I.e., the "SL" in "SASL" doesn't exist in any modern SASL mechanisms.)
Personally I'm opposed to using a separate port. IMO the default port should always be 389, clients can default to using TLS, and servers can auto-detect if a TLS or cleartext connection is being established. Regardless of whether you use TLS or StartTLS and a dedicated port 636 or not, it all comes down to site-specific policies and configurations, and the specific default values you choose are irrelevant.
Since any server can listen on any arbitrary port number, using different port numbers to distinguish cleartext vs TLS sessions was always an idiotic idea. That useless practice needs to end.
https://bugs.openldap.org/show_bug.cgi?id=9938
--- Comment #4 from Quanah Gibson-Mount quanah@openldap.org --- (In reply to martin.von.wittich from comment #2)
(In reply to Quanah Gibson-Mount from comment #1)
The FAQ is historic, 99% of what's in it is incorrect.
Hmm, would it be possible to add a warning to all FAQ articles, or even to get rid of it completely?
The goal is to replace it in the long run with current up to date information.
That aside, the main issues I see are:
a) StartTLS is actually defined in an RFC for LDAPv3 while LDAPS is not part of any RFC
b) Given the order of operations, it's easier to leak credentials when using ldap:/// even if TLS is mandated on the server side than it is with ldaps:///
However, I'd generally say that this ITS should be closed. This is an issue that should be raised with the LDAP IETF working group, not the OpenLDAP project, since it's an issue that applies to LDAP in general, not a specific implementation of LDAP.
https://bugs.openldap.org/show_bug.cgi?id=9938
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |INVALID Status|UNCONFIRMED |RESOLVED Keywords|needs_review |
https://bugs.openldap.org/show_bug.cgi?id=9938
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED
-
openldap-its@openldap.org