30 messages in org.openldap.openldap-softwareRe: LDAPS vs. StartTLS ext. op.
FromSent OnAttachments
Emmanuel DreyfusJul 23, 2007 6:50 am 
Quanah Gibson-MountJul 23, 2007 11:01 am 
Emmanuel DreyfusJul 23, 2007 1:09 pm 
Quanah Gibson-MountJul 23, 2007 1:18 pm 
Russ AllberyJul 23, 2007 4:35 pm 
Christopher CowartJul 23, 2007 7:40 pm 
Howard ChuJul 23, 2007 9:58 pm 
Emmanuel DreyfusJul 24, 2007 1:02 am 
Howard ChuJul 24, 2007 1:54 am 
Emmanuel DreyfusJul 24, 2007 12:18 pm 
Quanah Gibson-MountJul 25, 2007 8:52 am 
Emmanuel DreyfusJul 25, 2007 9:06 am 
Quanah Gibson-MountJul 25, 2007 9:47 am 
Michael StröderJul 25, 2007 9:53 am 
Emmanuel DreyfusJul 25, 2007 10:36 am 
Quanah Gibson-MountJul 25, 2007 10:46 am 
Howard ChuJul 25, 2007 2:31 pm 
Michael StröderJul 25, 2007 2:38 pm 
Howard ChuJul 25, 2007 2:44 pm 
Russ AllberyJul 25, 2007 2:45 pm 
Norman GaywoodJul 25, 2007 3:04 pm 
Emmanuel DreyfusJul 25, 2007 8:30 pm 
Emmanuel DreyfusJul 25, 2007 8:31 pm 
Howard ChuJul 25, 2007 11:17 pm 
Ralf HaferkampJul 26, 2007 1:27 am 
Emmanuel DreyfusJul 26, 2007 4:04 am 
Emmanuel DreyfusJul 26, 2007 4:04 am 
Donn CaveJul 26, 2007 9:38 am 
Ralf HaferkampJul 26, 2007 11:46 am 
Howard ChuJul 27, 2007 2:13 am 
Actions with this message:
Paste this link in email or IM:
Paste this link in email or IM:
Atom feed for this thread
Paste this URL into your reader:
Subject:Re: LDAPS vs. StartTLS ext. op.Actions...
From:Howard Chu (hy@symas.com)
Date:Jul 25, 2007 2:31:16 pm
List:org.openldap.openldap-software

Michael Ströder wrote:

Quanah,

Quanah Gibson-Mount wrote:

Just note that using SSL over port 636 is not a defined protocol, and may go away in the future. Avoidance of its use when possible recommended.

- IMO StartTLS ext. op. is flawed because there's no way to mandate the use of it before a misbehaving LDAP client has a chance to send credentials on the wire.

I agree. But it's too late to fix this in LDAPv3.

- Also StartTLS ext. op. is rarely supported by LDAP clients.

True, but I don't see that we have any influence over that.

=> If the OpenLDAP developers were really crazy enough to remove support for LDAPS from OpenLDAP I'd kick OpenLDAP out of my business immediately. Period.

If someone at IANA were to tell us that this number assignment was officially withdrawn, then we would drop it. We really wouldn't have much choice, nor would any other implementor that wanted to claim that their LDAP product was fully IETF-compliant.

-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/