On 2013.10.03 12.13, Michael Ströder wrote:
> On Oct 2, 2013, at 11.47, Michael Ströder <michael(a)stroeder.com> wrote:
>> btb wrote:
>>> On 2013.10.02 07.29, Axel Grosse wrote:
>>>> when I test on the server itself ..
>>>> openssl s_client -connect 192.168.30.169:389 -showcerts -CAfile
>>>> 710:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
>>> ldaps [port 636] is deprecated.
>>> use starttls with the standard port .
>>> to test, just use ldapsearch [see the reference to -Z in the man page]
>> This is nonsense.
>> From a security perspective there's no reason not to use LDAPS. Well,
>> recommend LDAPS since SSL/TLS handshake is done *before* a client can send an
>> LDAP PDU.
>> With my deployments I always enable both but prefer LDAPS.
>> I cannot imagine that any LDAP server or client will ever drop support for
>> LDAPS since this would immediately rule out this implementation from broader
>> market share.
> i'm not sure what exactly you mean by "this is nonsense". ldaps was
> offered as a formal specification, and *is* deprecated.
I don't know of any document forbidding use of LDAPS.
I don't know any server which implements StartTLS which is not capable of
LDAPS (despite configuration choice).
deprecated != forbidden. no has has claimed there are any servers which
only implement starttls.
> that's a fact:
FAQ entries are no formal specification. But you should read all of the FAQ:
i guess you could take that up with the author of the faq entry - but
you're right about formal specifications being important ;) . it's
probably also worth noting that there are other quite well recognized
protocols which have deprecated and/or abandoned their "tunneled"
counterparts, some quite formally so - smtp, imap, and xmpp are a few
which come to mind.
"Although there is no technical specification for ldaps:// it is
sorry, i'm not sure what you're getting at. i've already clearly stated
exactly that, as is clearly seen below.
> ldaps may well be in continued use even given its deprecation,
but no one
> is debating that, and it's continued use in light of being deprecated does
> not change that it's deprecated. we all know it's still heavily used, and
> probably will continue to be for, at the very least, quite some time.
And because it's heavily used it's nonsense to teach everybody this pseudo
argument about "deprecated". And as said I find it even to be more secure.
you're welcome to find ldaps more secure than starttls. plenty of
this has probably veered off topic enough at this point. over and out.