Ahh.. Thanks for the explanations.

-Mike


From: Chris.Jacobs@apollogrp.edu
To: mlstarling31@hotmail.com; daff@pseudoterminal.org; openldap-technical@openldap.org
Date: Fri, 7 Jan 2011 12:55:57 -0700
Subject: RE: Strange behavior with TLS with self-signed certs

Equipment limitation: Our old load balancers could load balance StartTLS, not SSL.  Our new ones can load balance SSL, not StartTLS.

Paranoia: If you wish to encrypt the entire session, from the very beginning, use SSL.

Firewall limits you to port 389 (corp policy, difficult network/firewall team, etc):  … and want encryption, then use StartTLS.

 

- chris

 

From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Michael Starling
Sent: Friday, January 07, 2011 11:45 AM
To: daff@pseudoterminal.org; openldap-technical@openldap.org
Subject: RE: Strange behavior with TLS with self-signed certs

 

Ok..I implemented what you explained for testing purposes and found the following to be true:

If I use ssl start_tls with the ldap:// URL schema then my client connects to my LDAP server on port 389.
If I use ssl on with ldaps://. then my client connects on port 636.

I think i remember reading somewhere that TLS could use either port so my question is when my client connects on 389 using ssl start_tls is the session encrypted?
My other question would be why the two different means to the same end? Is it just a matter of which port you want to use?


-Mike

> From: daff@pseudoterminal.org
> To: openldap-technical@openldap.org
> Subject: Re: Strange behavior with TLS with self-signed certs
> Date: Fri, 7 Jan 2011 19:45:46 +0100
>
> On Friday 07 January 2011 04:18:40 Michael Starling wrote:
> > #TLS settings
> > ssl start_tls
> > ssl on
>
> That should be either "ssl start_tls" OR "ssl on", not both. If you
> specify "ssl start_tls" then you should use the ldap:// URL schema, if
> you specify "ssl on" then you should use ldaps://.
>
> Andreas



This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.